Microsoft March 2026 Security Updates Patch 93 Vulnerabilities Including Zero-Days
Microsoft March 2026 security updates fix 93 flaws—8 Critical, 2 zero-days public. CVE-2026-26144 Excel Copilot data leak, SQL Server privilege escalation. Windows Server hotpatching GA now!
Microsoft March 2026 security updates dropped today with 93 vulnerability patches across Windows, Office, SQL Server, Edge, and Azure—8 Critical, 75 Important, plus 2 publicly disclosed zero-days that security teams need to slam immediately. This Patch Tuesday arrives amid escalating nation-state threats and AI-assisted exploit chains, featuring a zero-click CVE-2026-26144 Excel/Copilot flaw letting attackers exfiltrate sensitive data without user interaction, alongside CVE-2026-21262 SQL Server privilege escalation already circulating in exploit kits. Hotpatching for Windows Server 2022/2025 hits general availability—no reboots needed—while Kerberos RC4 hardening phases in ahead of April’s enforcement deadline. Enterprises staring down CISA’s Known Exploited Vulnerabilities catalog can’t afford delay; these patches close doors cracked wide by Claude’s Firefox vuln hunting proving AI finds holes faster than humans patch them.
Critical CVEs Demanding Priority (Patch Today)
CVE-2026-26144 (Excel/Copilot, Critical): Zero-click data exfiltration via malicious spreadsheets. Copilot integration amplifies risk—attaches Office docs now weaponized for enterprise reconnaissance.
CVE-2026-21262 (SQL Server, Zero-Day): Public privilege escalation. DBAs report underground markets selling $5k exploit chains targeting unpatched on-prem instances.
CVE-2026-26127 (.NET, Zero-Day): Denial-of-service crash exploitable via public APIs. Web devs must patch IIS/Azure App Services immediately.
Graphics Component RCEs (4x Critical): Windows 10/11 heap overflows weaponized in malware loaders.
Hotpatching Hits General Availability
Windows Server 2022/2025: Monthly hotpatches replace full cumulative updates—no VM restarts. Azure Edition first, on-prem monthly channel Q2. Expect 40% admin time savings.
Kerberos RC4 Hardening Phase 1: January patches enable audit mode for CVE-2026-20833. April flips to AES-SHA1 enforcement—legacy service accounts break without prep.
Complete Breakdown: 93 CVEs Patched
Edge bonus: 9 Chromium vulns synced from Google’s early March patches.
Enterprise Deployment Priority
Phase 1 (24 hours): Internet-facing servers (SQL, Office, Hyper-V)
Phase 2 (72 hours): Domain controllers, workstations
Phase 3 (7 days): Internal servers, test environments
Windows 11 25H2 highlights:
- File Explorer search reliability across drives
- Secure Boot certificate auto-delivery expansion
- Servicing stack quality improvements
Hotpatch mechanics:
Traditional Update → Reboot Required (2-4hr downtime)
Hotpatch → Live Apply (5min, zero downtime)
Zero-Day Exploit Landscape Context
CVE-2026-21262 SQL Server chains already hit dark web—$2k N-day to $20k Z-day pricing. Excel Copilot represents new vector: AI assistants amplify traditional Office exploits.
Patching velocity critical:
- CISA KEV addition likely within 14 days
- Chinese APTs already scanning (Shodan spikes)
- Ransomware gangs test chains within 48 hours
Enterprise gotchas:
- WSUS/SCCM: Hotpatch channel activation required
- Azure Update Manager: Server 2025 support live
- Intune: Windows 11 25H2 deployment rings updated
Roadmap: April Preview
Kerberos RC4 enforcement flips default April 14. Hotpatching expands to Windows 11 Enterprise LTSC. Secure Boot DB rotation monthly cadence.
Microsoft March 2026 security updates deliver breathing room against accelerating threats. Zero-days public, exploits priced, enterprises exposed—patch now or pray later. IT crews earn their keep this weekend.
