Microsoft March 2026 Patch Tuesday: 77 Fixes, AI-Discovered CVE Marks New Era

Microsoft’s March 2026 Patch Tuesday addresses 77 vulnerabilities with no active zero-days, but several patches warrant urgent attention. A publicly disclosed SQL Server privilege escalation flaw (CVE-2026-21262, CVSS 8.8) allows network-based elevation to sysadmin — a near-critical severity that should not be deferred. Two Office remote code execution bugs (CVE-2026-26113 and CVE-2026-26110) trigger via Preview Pane alone, requiring no user interaction beyond opening a message.

Privilege escalation dominates this cycle at 55% of total CVEs, with six rated ‘exploitation more likely’ spanning Windows Graphics, Kernel, SMB Server, Accessibility Infrastructure, and Winlogon — the last discovered by Google Project Zero. A critical RCE in the Microsoft Devices Pricing Program (CVE-2026-21536, CVSS 9.8) is already patched server-side and requires no user action, but stands out as one of the first CVEs officially attributed to discovery by a fully autonomous AI penetration testing agent, XBOW.

XBOW has led HackerOne’s bug bounty rankings for over a year and found this flaw without source code access, signaling a meaningful shift in how critical vulnerabilities get surfaced. Adobe patched 80 vulnerabilities across Acrobat and Commerce; Firefox 148.0.2 resolves three high-severity CVEs. Microsoft also issued an out-of-band patch on March 2 for a Windows Hello for Business certificate renewal failure on Server 2022.