The March update addressed flaws across Windows, SQL Server, .NET, and other products, excluding nine browser issues Microsoft fixed earlier in the month through separate updates. Two bugs disclosed this Patch Tuesday had already entered public domain, but neither appears on the US Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities list.
The most prominent issue affects SQL Server across multiple versions. CVE-2026-21262, an elevation-of-privilege vulnerability, impacts SQL Server 2025 back to SQL Server 2016 Service Pack 3. The flaw carries a CVSS v3 base score of 8.8 — just below Microsoft’s critical threshold — because attackers must already possess low-level privileges.
According to Adam Barnett, Lead Software Engineer at Rapid7, an authorised attacker can elevate privileges to sysadmin over a network.
If exploited, attackers could access or alter database data and potentially pivot to the underlying operating system through features like xp_cmdshell. Microsoft disables this by default, but sysadmins can re-enable it quickly.
Internet-wide scanning tools show large numbers of publicly accessible SQL Server instances, raising potential impact despite many organizations not exposing SQL Server directly online. Microsoft confirmed the vulnerability details are public and rated exploitation likelihood as lower, though security researchers emphasize public disclosure increases urgency for administrators.
CVE-2026-26127 affects .NET applications and could trigger denial-of-service conditions, potentially causing service crashes and creating windows when monitoring tools and security agents malfunction. Attackers could exploit these gaps to avoid detection during restart periods.
CVE-2026-26123 affects the Microsoft Authenticator mobile app on iOS and Android, involving custom URL schemes and improper authorization. The CVSS v3 base score is 5.5, requiring user interaction. If exploited, a malicious app could impersonate Authenticator and intercept authentication information, allowing attackers to impersonate users in downstream services. Microsoft rates this as important despite the moderate score.
SQL Server 2012 Parallel Data Warehouse will move beyond extended support at the end of , ending security update eligibility. Customers running this platform will no longer receive patches afterward.
Organizations should prioritize deploying patches for CVE-2026-21262, particularly those with SQL Server instances accessible on networks. Security teams should review service account privileges and assess whether xp_cmdshell is enabled. For Authenticator users, administrators managing mobile devices should evaluate app installation policies and default handler settings for authentication applications.
Follow Hashlytics on Bluesky, LinkedIn , Telegram and X to Get Instant Updates
