Microsoft's March Patch Tuesday Fixes 2 Zero-Days and 79 Vulnerabilities — Including Critical Office Preview Pane Bugs
The March 2026 Patch Tuesday addresses 79 flaws across Windows, Office, and SQL Server, with two publicly disclosed zero-days and three Critical-rated remote code execution bugs.
What Got Patched
Microsoft's March 2026 Patch Tuesday landed on March 11 with fixes for 79 security vulnerabilities — a moderately heavy month that includes two publicly disclosed zero-day flaws and three Critical-rated remote code execution bugs that deserve immediate attention from enterprise security teams.
The two zero-days are CVE-2026-21262, an elevation of privilege vulnerability in SQL Server that allows authenticated attackers to escalate to SQL admin privileges, and CVE-2026-26127, a denial-of-service vulnerability in .NET caused by an out-of-bounds read. Both were publicly disclosed before patches were available, though neither has been observed in active exploitation — yet.
The Office Preview Pane Problem
The three Critical-rated RCEs are particularly noteworthy because two of them affect Microsoft Office and can be triggered through the Preview Pane in Outlook and File Explorer. That means a user doesn't even need to open a malicious document — simply previewing it in the file browser or having it render in Outlook's reading pane is enough to execute arbitrary code.
These preview pane vulnerabilities have been a recurring theme in Patch Tuesdays throughout 2025 and 2026, and they represent a genuine challenge for enterprise security teams. Email filtering can catch known malicious attachments, but the preview pane attack surface means that any document that makes it past the filter becomes a potential exploit vector without any user interaction beyond receiving the email.
The Broader Patch Landscape
Beyond the headlines, the March batch includes fixes across Windows kernel components, Hyper-V, Azure services, and the Windows networking stack. The SQL Server zero-day is particularly relevant for organizations running on-premises database infrastructure, where SQL admin privileges can cascade into broader network compromise.
For security teams planning their patch cycle, the priority order is clear: Office preview pane RCEs first (widest exposure and lowest user interaction required), followed by the SQL Server elevation of privilege, then the remaining Critical-rated fixes. The .NET DoS vulnerability is lower priority for most environments unless you're running internet-facing .NET services.
Sources: BleepingComputer (March 11, 2026), Krebs on Security (March 11, 2026), Microsoft Security Response Center (March 11, 2026)