What Happened
Microsoft released its March 2026 Patch Tuesday on March 11, 2026, with security updates addressing 84 vulnerabilities across Windows, Microsoft SQL Server, Microsoft Office, .NET, Azure, and Edge. The release includes two publicly disclosed zero-days and eight critical-severity flaws.
CVE-2026-21262 (CVSS 8.8) is an elevation of privilege vulnerability in Microsoft SQL Server. An authenticated attacker with any SQL Server login — including a low-privilege service account — exploits improper access control over a standard network connection to elevate to full SQL Server sysadmin. From there, the attacker gains complete control of the affected database instance: reading and altering data, modifying configurations, creating new logins, and establishing persistence. Microsoft credited Erland Sommarskog with reporting the flaw, and the vulnerability was publicly disclosed before the patch was available.
CVE-2026-26127 (CVSS 7.5) is a denial-of-service vulnerability in .NET 9.0 and 10.0 on Windows, macOS, and Linux. An unauthenticated remote attacker triggers an out-of-bounds read to crash .NET applications. This flaw was also publicly disclosed before patching.
Two additional critical-rated remote code execution vulnerabilities — CVE-2026-26110 and CVE-2026-26113 — affect Microsoft Office. Both are exploitable through the Outlook preview pane: opening a malicious attachment in preview is sufficient to trigger code execution, with no macro enablement or further user interaction required.
Why This Matters for Canadian Organizations
Microsoft SQL Server underpins database infrastructure across Canada’s banking, insurance, healthcare, and government sectors. CVE-2026-21262 requires only an authenticated SQL connection — a condition met by compromised service accounts, contractor credentials, or any insider with database access. A successful escalation gives an attacker full database administrator control, including the ability to export sensitive data, alter records, or use SQL Server as a foothold into connected systems.
The preview-pane Office RCE vulnerabilities represent a significant phishing risk for Canadian users. Employees in finance, legal, and government regularly preview external documents as part of daily workflows. Neither CVE-2026-26110 nor CVE-2026-26113 requires the victim to enable macros or open an attachment in full — previewing the file in Outlook is the attack surface. This lowers the bar for phishing-based initial access substantially.
Both zero-days were publicly disclosed before patches were available, meaning threat actors had time to build working exploits. Organizations applying patches on standard monthly cycles are several weeks behind these two CVEs.
What to Do
Apply the March 2026 Patch Tuesday updates across all Windows, SQL Server, Office, and .NET environments without delay. Prioritize SQL Server patching wherever CVE-2026-21262 applies, particularly on instances accessible by service accounts or external systems. Audit SQL Server logins for dormant accounts and over-permissioned credentials. Where immediate patching is not possible, disable the Outlook preview pane for users processing external attachments. Review .NET deployment inventories and apply updates to all versions in scope for CVE-2026-26127.
Source: BleepingComputer | Krebs on Security
