March 2026 Patch Tuesday summary
Microsoft released its monthly Patch Tuesday on March 10, 2026, addressing 84 vulnerabilities including 2 publicly disclosed zero-days. This bulletin is particularly dense and warrants immediate attention from IT and security teams.
The 2 zero-days to watch
CVE-2026-26127 (CVSS 7.5): Denial of service vulnerability in .NET 9.0 and 10.0. While the CVSS score is moderate, public disclosure before patching increases exploitation risk.
CVE-2026-21262 (CVSS 8.8): Privilege escalation in SQL Server. An authenticated attacker can gain administrative rights on the SQL instance. High priority for database environments.
Beyond Microsoft
March 2026 has been a busy month for patches across the board:
- Google Chrome: 2 zero-days actively exploited in the wild, patched urgently. Update immediately.
- Android: 129 vulnerabilities patched, including CVE-2026-21385 (Qualcomm, actively exploited) and CVE-2026-0006 (critical remote code execution).
Prioritization for security teams
| Priority | CVE | Product | CVSS | Action |
|---|---|---|---|---|
| Critical | CVE-2026-0006 | Android | Critical | Immediate patch |
| Critical | Chrome zero-days | Chrome | High | Update browsers |
| High | CVE-2026-21262 | SQL Server | 8.8 | Patch within 48h |
| High | CVE-2026-21385 | Android/Qualcomm | High | Mobile patch |
| Medium | CVE-2026-26127 | .NET | 7.5 | Patch within 7 days |
Recommendations
- Deploy Chrome patches first: zero-days are being actively exploited.
- SQL Server: if you expose instances on the network, CVE-2026-21262 is critical.
- Mobile fleet: coordinate with your MDM to push Android patches.
- Test before deploying: as always, validate patches in a staging environment before production rollout.
Sources
- Microsoft Patches 84 Flaws - The Hacker News
- March 2026 Patch Tuesday Zero-Day Fixes - Malwarebytes
- Google Chrome Zero-Days - Malwarebytes
Advertisement