Microsoft March Patch Tuesday: AI-Discovered CVEs and SQL Zero-Day Fixes

March's updates address 83 vulnerabilities, including a landmark AI-discovered remote code execution flaw and zero-days in SQL Server and .NET, alongside significant new CLFS hardening.

AI-Powered Discovery and Critical CVEs

Adobe (however not Microsoft) has released a single update (APSB26-26) that affects Adobe Viewers and Acrobat. Because you made it this much, one item worth flagging for its novelty: CVE-2026-21536 (CVSS 9.8), a crucial unauthenticated remote code execution vulnerability in the Microsoft Instruments Prices Program, was uncovered by XBOW, an autonomous AI-powered penetration testing agent. This notes one of the first critical-severity CVEs in a Microsoft item publicly credited to an AI protection scientist.

The two unauthenticated DoS vulnerabilities are the priority for internet-facing. Web and ASP.NET Core solutions. CVE-2026-26127 is the secondly of this month’s 2 zero-days. Include these updates to your “Patch Now” implementation routine.

Windows accounts for 48 of this month’s CVEs, all rated Important. There are no proactively made use of or publicly revealed susceptabilities in the Windows classification. Microsoft flagged six CVEs as “Exploitation Most Likely,” all elevation-of-privilege susceptabilities that include:.

March Update Overview and Actionable Advice

The group at Preparedness monthly examines the latest Spot Tuesday updates from Microsoft and offers detailed, actionable testing advice. The March launch addresses 83 vulnerabilities across Windows, Office, SQL Web Server, Azure, and.NET– a modest volume with two publicly divulged zero-days influencing SQL Server and.NET (though neither is being actively made use of in the wild.).

A Windows Defender Application Control (WDAC) concern where COM things were inaccurately obstructed regardless of being covered by allowlisting policies has actually been settled in KB5079473 for Windows 11 24H2/25H2. COM things are now allowed as anticipated when matching policy guidelines are set up.

March is an additional clean month for recognized concerns. All 3 desktop KB short articles– KB5079473 (Windows 11 25H2/24H2), KB5078883 (Windows 11 23H2), and KB5078885 (Windows 10 22H2)– explicitly say Microsoft is not presently familiar with any problems.

Security Fixes for Office and Kerberos

Microsoft Office got 12 safety and security repairs, including 3 of them important. None are proactively made use of or openly divulged, and none are flagged as “Exploitation More Likely”– however the assault surface warrants focus.

March is a peaceful month for inter-cycle revisions. No previously published CVEs obtained severity upgrades, broadened affected-product checklists, or new activity demands. One of the most notable inter-patch-cycle activity was the KB5082314 out-of-band update.

Kerberos RC4 deprecation– Next month, the default encryption for solution account ticket issuance changes from RC4 to AES-SHA1 for accounts without an explicit msds-SupportedEncryptionTypes quality. The July 2026 enforcement phase removes the RC4DefaultDisablementPhase pc registry override completely.

Windows CLFS Hardening and Feature Changes

The most considerable modification this month is the introduction of Common Log Documents System (CLFS) hardening with signature confirmation, which will certainly affect how Windows takes care of log documents throughout the os.

Both Preview Pane RCEs (CVE-2026-26113, CVE-2026-26110) make this a “Spot Now” launch for Workplace. Organizations that can not deploy instantly must consider briefly disabling the Preview Pane in Expectation and Documents Explorer.

Greg Lambert is an evangelist for Application Preparedness, the online analysis and application conversion professionals. Greg is a founder of ChangeBASE, and currently chief executive officer of Application Readiness, and has considerable experience with application packaging modern technology and its implementation.

Without proactively exploited vulnerabilities, no crucial ratings, and no openly divulged problems, this is the quietest Windows month of the year up until now. Add these updates to your standard implementation timetable. (Type of impressive, eh?).

Zero-Day Analysis for SQL Server and .NET

The March spots for.NET and ASP.NET Core consist of an openly revealed zero-day: CVE-2026-26127, a denial-of-service vulnerability scored at 7.5 that affects the.NET runtime. A second.NET vulnerability (CVE-2026-26131, EoP, 7.8) and an ASP.NET Core denial-of-service problem (CVE-2026-26130, 7.5) round out the.NET updates.

CLFS is a general-purpose logging subsystem made use of by transactional NTFS, failover clustering, Windows Update, and numerous line-of-business applications. GDR patches cover SQL Web server 2016 SP3 with SQL Web Server 2025, with 10 different KB short articles covering both RTM and advancing upgrade baselines throughout all sustained versions. With no actively exploited susceptabilities, no essential ratings, and no openly disclosed concerns, this is the quietest Windows month of the year so far. Exchange Web server has actually not received any kind of safety updates this month. Add these SQL Web server updates to your Spot Currently routine.

The heading modification with this launch is the new solidifying attribute for the CLFS, delivered in KB5079473 for Windows 11 24H2. CLFS is a general-purpose logging subsystem made use of by transactional NTFS, failover clustering, Windows Update, and many line-of-business applications. The update presents trademark confirmation for CLFS log files and runs in two modes. When they are first opened and audits occasions without blocking accessibility, Discovering Setting (the first phase) immediately signs existing anonymous log documents. Enforcement Mode proactively obstructs log data that are unsigned or have mismatched signatures. This is a phased rollout– makers start in Understanding Mode, and administrators must manually change to Enforcement Setting via registry arrangement when satisfied that all log files have been properly authorized.

SQL Server had three susceptabilities, all racked up at 8.8, one of which– CVE-2026-21262, an elevation-of-privilege concern– is an openly divulged zero-day. GDR spots extend SQL Server 2016 SP3 through SQL Web Server 2025, with 10 different KB write-ups covering both RTM and cumulative update standards across all supported variations.

CVE-2026-21262 is just one of this month’s 2 zero-days. While ranked “Exploitation Much less Likely,” the general public disclosure and broad variation protection (every sustained edition) warrant top priority patching for SQL Web server environments. Exchange Server has not gotten any protection updates this month. Include these SQL Server updates to your Patch Currently routine.