In a welcome relief for sysadmins, Microsoft released security updates for just 79 vulnerabilities in this month’s Patch Tuesday yesterday, including two publicly disclosed zero-days.
Microsoft categorizes zero-day vulnerabilities as flaws which have either been exploited or disclosed without a patch available.
March’s Patch Tuesday selection included CVE-2026-21262: an SQL Server elevation of privilege (EoP) bug with a CVSS score of 8.8. That’s just below “critical” severity because low-level privileges are required, said Rapid7 principal software engineer, Adam Barnett.
“Microsoft is aware of public disclosure, so while it assesses the likelihood of exploitation as less likely, it would be a courageous defender who shrugged and deferred the patches for this one,” he added.
“Most SQL Server admins and security teams concluded many years ago that exposing SQL Server directly to the internet was not a good idea. Then again, popular search engines for internet-connected devices describe tens of thousands of SQL Server instances, and they can’t all be honeypots.”
Read more on Patch Tuesday: Microsoft Fixes Six Zero Day Vulnerabilities in February Patch Tuesday.
The second zero-day vulnerability this month is CVE-2026-26127, a denial-of-service flaw in .NET.
Barnett said exploitation in the wild could be more serious than it appears.
“If a log forwarder or security agent is impacted, even for a brief period of time, an attacker might carry out an attack in that moment hoping to evade detection under cover of this artificial darkness,” he claimed.
“Even if a low-skilled attacker simply causes downtime, in some contexts that could be enough to cause an SLA breach or loss of revenue, or at the very least cause a bleary-eyed defender to get paged in the middle of the night.”
EoP Takes Center Stage
Overall, there are only three critical-rated vulnerabilities this month, two of which are remote code execution (RCE) and one an information disclosure flaw. However, the vast majority of CVEs are EoP vulnerabilities.
Ben McCarthy, lead cybersecurity engineer at Immersive, flagged the following:
- CVE-2026-23668, an EoP bug affecting the Windows Graphics Component. Exploitation requires no user interaction and could happen “entirely in the background”
- CVE-2026-24294, an EoP vulnerability in the Windows SMB Server, which is a popular target as it’s almost always enabled and active. It could provide “a reliable and direct path to system privileges,” said McCarthy
- CVE-2026-24289, an EoP flaw in the Windows Kernel, which could be used in attacks leading to code execution that “bypasses all standard security boundaries in the operating system”
