This month's Patch Tuesday from **Microsoft Corp.** brings fixes for at least 77 vulnerabilities affecting **Windows** operating systems and other software. While there are no 'zero-day' vulnerabilities this month, several patches warrant immediate attention from organizations.  ## Key Vulnerabilities Addressed Two vulnerabilities patched this month were previously publicly disclosed: * **CVE-2026-21262**: A privilege escalation vulnerability in **SQL Server 2016** and later editions. According to **Adam Barnett** at **Rapid7**, this flaw allows an attacker to elevate privileges to sysadmin over a network. The CVSS v3 base score is 8.8. * **CVE-2026-26127**: A vulnerability in applications running on **.NET**. Exploitation could lead to denial of service due to a crash, with potential for other attacks during service reboots. ## Microsoft Office Targeted As is typical, this Patch Tuesday includes critical **Microsoft Office** exploits. **CVE-2026-26113** and **CVE-2026-26110** are remote code execution flaws that can be triggered simply by viewing a specially crafted message in the Preview Pane. ## Privilege Escalation Bugs **Satnam Narang** at **Tenable** points out that over half (55%) of this month's Patch Tuesday CVEs are privilege escalation bugs. Several are rated 'exploitation more likely', affecting components like Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server, and Winlogon. Key examples include: * **CVE-2026-24291**: Incorrect permission assignments within the Windows Accessibility Infrastructure, potentially granting SYSTEM access (CVSS 7.8). * **CVE-2026-24294**: Improper authentication in the core SMB component (CVSS 7.8). * **CVE-2026-24289**: A high-severity memory corruption and race condition flaw (CVSS 7.8). * **CVE-2026-25187**: A Winlogon process weakness discovered by Google Project Zero (CVSS 7.8). ## AI-Driven Vulnerability Discovery **Ben McCarthy**, lead cyber security engineer at **Immersive**, highlighted **CVE-2026-21536**, a critical remote code execution bug in the Microsoft Devices Pricing Program. Notably, this vulnerability was identified by **XBOW**, a fully autonomous AI penetration testing agent. This demonstrates the increasing role of AI in vulnerability research. XBOW has consistently ranked high on the Hacker One bug bounty leaderboard. According to McCarthy, CVE-2026-21536 demonstrates how AI agents can identify critical 9.8-rated vulnerabilities without access to source code. ## Additional Updates Microsoft previously released patches for nine browser vulnerabilities, separate from the Patch Tuesday count. Additionally, an out-of-band update was issued on March 2 for **Windows Server 2022** to address a certificate renewal issue with Windows Hello for Business. ## Other Vendor Updates **Adobe** released updates addressing 80 vulnerabilities in various products, including **Acrobat** and **Adobe Commerce**. **Mozilla Firefox** v. 148.0.2 resolves three high severity CVEs. For a comprehensive breakdown, refer to the SANS Internet Storm Center's Patch Tuesday post. Windows enterprise admins should also visit AskWoody.com for updates on problematic patches. Consider leaving a comment if you encounter any issues applying this month's updates.