The Two Zero-Days in Microsoft's March 2026 Patch Tuesday

defenddigital
3 days ago
3 min read

Analysis of KB5079473 | March 10, 2026

This month's Patch Tuesday patched two publicly disclosed zero-day vulnerabilities — meaning details about both flaws were already out in the open before Microsoft had a fix ready. Neither has been confirmed as actively exploited in the wild yet, but the public disclosure alone raises the risk level considerably, since it gives attackers a roadmap.

CVE-2026-21262: SQL Server Elevation of Privilege

The first and more serious of the two is CVE-2026-21262, a bug in Microsoft SQL Server that lets a logged-in user quietly climb the privilege ladder and potentially become a full database administrator. With that level of control, an attacker can read, change, or delete data, create new accounts, and tamper with database configurations or jobs. What makes this particularly dangerous is how cleanly it can be exploited — a network attacker with low privileges could gain SQL Server sysadmin privileges, and the flaw carries a CVSS score of 8.8, meaning it can be exploited over a network without requiring any user interaction.

In practical terms, this is the kind of vulnerability that fits neatly into the second stage of an attack: a threat actor gains initial access through phishing or a credential leak, then uses this flaw to silently promote themselves to full database control. The flaw was originally disclosed in an article titled "Packaging Permissions in Stored Procedures" and was credited to researcher Erland Sommarskog.

Who does this affect most? Primarily enterprises and organizations running SQL Server on-premises — think healthcare systems, financial institutions, mid-size businesses, and any organization managing large databases internally. Cloud-hosted SQL environments on Azure may have separate mitigations, but any unpatched on-premise SQL Server deployment is genuinely exposed.

CVE-2026-26127: .NET Denial of Service

The second zero-day is CVE-2026-26127, a bug in Microsoft's .NET platform that lets an attacker remotely crash .NET applications, effectively taking them offline. The flaw lives in Microsoft .NET 9.0 and 10.0 across Windows, macOS, and Linux — it is a bug in the engine that runs .NET code, meaning any app built on affected .NET versions could be at risk. The attack outcome here is not data theft but disruption — for a public-facing web API, a payment service, or any line-of-business app built on .NET, this can mean real-world outages and degraded performance while services are repeatedly knocked offline. The flaw carries a CVSS score of 7.5.

This vulnerability has a broader potential blast radius in terms of who could be affected. Developers, SaaS companies, and any organization running customer-facing applications built on modern .NET are all in scope. Given how widely .NET is used across the software ecosystem, this vulnerability is less targeted but potentially more disruptive at scale.

Additional Notable Vulnerabilities

Beyond the two zero-days, Microsoft also patched two remote code execution bugs in Microsoft Office that can be exploited via the preview pane — meaning a user could be at risk simply by selecting a malicious document to preview rather than fully opening it. There is also a notable Excel information disclosure flaw that researchers warn could allow an attacker to exfiltrate data through Microsoft Copilot in a zero-click scenario. That last one is particularly relevant for organizations leaning heavily on Copilot for sensitive financial or operational work.

Bottom Line

This is not a month to delay patching. The SQL Server elevation flaw alone makes it urgent for any organization with database infrastructure, and the .NET denial-of-service issue is broad enough that most enterprises will have some exposure. Apply the update, and if you manage SQL Server environments, treat it as a priority rather than routine maintenance.