Microsoft Fixes 77 Vulnerabilities in March Patch Tuesday

Microsoft has released its March 2026 Patch Tuesday security updates, fixing at least 77 vulnerabilities across Windows operating systems and other Microsoft software products, according to a report by security researcher Brian Krebs. 

While this month’s update does not include any actively exploited zero-day vulnerabilities unlike February’s release which addressed several security experts say the patches still contain issues that organisations should address quickly.

Among the vulnerabilities patched are several classified as “critical,” meaning attackers could potentially exploit them to run malicious code remotely on affected systems with little or no user interaction.

Security researchers also highlighted two vulnerabilities that were publicly disclosed before patches were released, increasing the likelihood that attackers could attempt to exploit them now that details are available. 

One of those flaws, CVE-2026-21262, affects Microsoft SQL Server and could allow a malicious user to escalate privileges and gain administrative control over a database system if exploited.

Another vulnerability involves the .NET framework, where attackers could trigger a denial-of-service condition through specially crafted network requests.

Broad range of Microsoft products affected

The March update affects a wide range of Microsoft technologies used by businesses and consumers, including:

• Windows operating systems
• Microsoft Office and Excel
• SQL Server
• Azure cloud services
• .NET development framework

Several vulnerabilities also impact core Windows services and infrastructure components such as SMB networking, Active Directory services, Kerberos authentication, and the Windows printing subsystem. 

Because many of these components are widely used in enterprise networks, security teams are being urged to prioritize patching systems exposed to the internet or critical business services.

Microsoft releases security updates on the second Tuesday of every month, a practice commonly known in the industry as “Patch Tuesday.”

The schedule allows organizations to prepare for regular updates while giving security researchers time to analyse vulnerabilities and recommend mitigation strategies.

However, once patches are released, attackers often study the updates to reverse-engineer the underlying vulnerabilities; a phenomenon sometimes referred to as “Exploit Wednesday.”

Although the March update lacks active zero-day exploits, cybersecurity specialists say organizations should not delay installing the patches.

Newly disclosed vulnerabilities can quickly become targets for attackers once technical details become public, especially in widely deployed enterprise systems like Windows servers, Office applications, and SQL databases.

For businesses and individual users alike, applying the latest Patch Tuesday updates remains one of the simplest and most effective ways to protect systems from potential cyberattacks.