Microsoft Patches 83 Vulnerabilities

Microsoft on Tuesday announced patches for 83 vulnerabilities affecting its products.

While none of the bugs have been flagged as exploited, two of them have been publicly disclosed, Microsoft’s advisories reveal.

These include CVE-2026-26127, a denial-of-service (DoS) issue in .NET, and CVE-2026-21262, an elevation of privilege defect in SQL Server.

“These bugs are more bark than bite. The DoS vulnerability is assessed as unlikely to be exploited and requires an attacker to be authorized beforehand, while the privilege escalation bug was deemed less likely to be exploited,” Tenable researcher Satnam Narang points out.

Microsoft’s March 2026 Patch Tuesday updates resolve a single critical-severity flaw, namely CVE-2026-21536 (CVSS score of 9.8), a remote code execution weakness in Devices Pricing Program that has already been fully mitigated by the tech giant.

“There is no action for users of this service to take. The purpose of this CVE is to provide further transparency,” the company notes.

Another security defect that stands out is CVE-2026-26118, an elevation of privilege issue in Azure MCP Server Tools that could be exploited by sending specially crafted input to a server tool that accepts user-supplied parameters.

“If the attacker can interact with the MCP‑backed agent, they can submit a malicious URL in place of a normal Azure resource identifier. The MCP Server then sends an outbound request to that URL and, in doing so, may include its managed identity token. This allows the attacker to capture that token without requiring administrative access,” Microsoft notes.