Microsoft Zero Day Vulnerabilities – March 2026

by

Microsoft released the ‘Patch Tuesday’ updates on 10 March 2026. The latest security updates are addressing 2 security vulnerabilities that have been classified as the ‘ZERO DAY’ vulnerabilities.

We look at the 2 Zero-Day vulnerabilities in brief below. Security administrators are advised to install the latest security updates to resolve the vulnerabilities at the earliest.

In this note, we have covered the following Zero-day vulnerabilities reported and fixed on 10 February 2026.

  • CVE-2026-21262 – Publicly disclosed, not exploited
  • CVE-2026-26127 – Publicly disclosed, not exploited

In case you are wondering about zero-day vulnerabilities, it would be prudent to define these here for ready reference. A zero-day vulnerability is a vulnerability that has either already been exploited by the threat actors or has been publicly disclosed for an imminent rise in security threat levels. Zero-day vulnerabilities need to be patched on an immediate basis.

CVE-2026-21262 – SQL Server Elevation of Privilege Vulnerability

This is a CVSS 8.8 security vulnerability that exploits the CWE-284: Improper Access Control weakness. Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network. This vulnerability affects the following:

  • Microsoft SQL Server 2025 for x64-based Systems (CU2)
  • Microsoft SQL Server 2022 for x64-based Systems (CU 23)
  • Microsoft SQL Server 2019 for x64-based Systems (CU 32)
  • Microsoft SQL Server 2025 for x64-based Systems (GDR)
  • Microsoft SQL Server 2022 for x64-based Systems (GDR)
  • Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 Azure Connect Feature Pack
  • Microsoft SQL Server 2017 for x64-based Systems (CU 31)
  • Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 (GDR)
  • Microsoft SQL Server 2019 for x64-based Systems (GDR)
  • Microsoft SQL Server 2017 for x64-based Systems (GDR)

CVE-2026-26127-.NET Denial of Service Vulnerability

This is a CVSS 8.8 security vulnerability that exploits the weakness CWE125. Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network. This vulnerability affects the following:

  • Microsoft.Bcl.Memory 9.0
  • .NET 9.0 installed on Windows
  • .NET 9.0 installed on Mac OS
  • .NET 9.0 installed on Linux
  • .NET 10.0 installed on Linux
  • .NET 10.0 installed on Mac OS
  • .NET 10.0 installed on Windows
  • Microsoft.Bcl.Memory 10.0

Rajesh Dhawan

Simplifying technology, one step at a time.