Microsoft on Tuesday launched patches for a set of 84 new security vulnerabilities affecting numerous software program parts, together with two which have been listed as publicly identified.
Of those, eight are rated Essential, and 76 are rated Essential in severity. Forty-six of the patched vulnerabilities relate to privilege escalation, adopted by 18 distant code execution, 10 data disclosure, 4 spoofing, 4 denial-of-service, and two security characteristic bypass flaws.
The fixes are along with 10 vulnerabilities which have been addressed in its Chromium-based Edge browser for the reason that launch of the February 2026 Patch Tuesday replace.
The 2 publicly disclosed zero-days are CVE-2026-26127 (CVSS rating: 7.5), a denial-of-service vulnerability in .NET, and CVE-2026-21262 (CVSS rating: 8.8), an elevation of privilege vulnerability in SQL Server.
The vulnerability with the very best CVSS rating on this month’s replace is a important distant code execution flaw within the Microsoft Gadgets Pricing Program. CVE-2026-21536 (CVSS rating: 9.8), per Microsoft, has been absolutely mitigated, and no motion is required from customers. Synthetic intelligence (AI)-powered autonomous vulnerability discovery platform XBOW has been credited with discovering and reporting the problem.
“This month, over half (55%) of all Patch Tuesday CVEs have been privilege escalation bugs, and of these, six have been rated exploitation extra seemingly throughout Home windows Graphics Part, Home windows Accessibility Infrastructure, Home windows Kernel, Home windows SMB Server, and Winlogon,” Satnam Narang, senior workers analysis engineer at Tenable, stated.
“We all know these bugs are usually utilized by menace actors as a part of post-compromise exercise, as soon as they get onto techniques by means of different means (social engineering, exploitation of one other vulnerability).”
The Winlogon privilege escalation flaw (CVE-2026-25187, CVSS rating: 7.8), specifically, leverages improper hyperlink decision to acquire SYSTEM privileges. Google Mission Zero researcher James Forshaw has been acknowledged for reporting the vulnerability.
“The flaw permits a regionally authenticated attacker with low privileges to use a link-following situation within the Winlogon course of and escalate to SYSTEM privileges,” Jacob Ashdown, cybersecurity engineer at Immersive, stated. “The vulnerability requires no person interplay and has low assault complexity, making it an easy goal as soon as an attacker good points a foothold.”
One other vulnerability of notice is CVE-2026-26118 (CVSS rating: 8.8), a server-side request forgery bug within the Azure Mannequin Context Protocol (MCP) server that might permit a licensed attacker to raise privileges over a community.
“An attacker might exploit this challenge by sending specifically crafted enter to an Azure Mannequin Context Protocol (MCP) Server device that accepts person‑supplied parameters,” Microsoft stated.
“If the attacker can work together with the MCP‑backed agent, they will submit a malicious URL rather than a standard Azure useful resource identifier. The MCP Server then sends an outbound request to that URL and, in doing so, might embrace its managed id token. This enables the attacker to seize that token with out requiring administrative entry.”
Profitable exploitation of the vulnerability might allow an attacker to acquire the permissions related to the MCP Server’s managed id. The attacker might then leverage this conduct to entry or carry out actions on any assets that the managed id is permitted to achieve.
Among the many Essential-severity bugs resolved by Microsoft is an data disclosure flaw in Excel. Tracked as CVE-2026-26144 (CVSS rating of seven.5), it has been described as a case of cross-site scripting that happens on account of improper neutralization of enter throughout net web page technology.
The Home windows maker stated an attacker who exploited the shortcoming might probably trigger Copilot Agent mode to exfiltrate knowledge as a part of a zero-click assault.
“Info disclosure vulnerabilities are particularly harmful in company environments the place Excel recordsdata usually include monetary knowledge, mental property, or operational data,” Alex Vovk, CEO and co-founder of Action1, stated in a press release.
“If exploited, attackers might silently extract confidential data from inner techniques with out triggering apparent alerts. Organizations utilizing AI-assisted productiveness options might face elevated publicity, as automated brokers might unintentionally transmit delicate knowledge outdoors company boundaries.”
The patches come as Microsoft stated it is altering the default conduct of Home windows Autopatch by enabling hotpatch security updates to assist safe gadgets at a quicker tempo.
“This alteration in default conduct involves all eligible gadgets in Microsoft Intune and people accessing the service through Microsoft Graph API beginning with the Might 2026 Home windows security replace,” Redmond stated. “Making use of security fixes with out ready for a restart can get organizations to 90% compliance in half the time, when you stay in management.”
