Microsoft patches major SQL Server flaw in March update
Microsoft has released fixes for 77 security vulnerabilities across its product portfolio in the March 2026 Patch Tuesday update, including a high-severity SQL Server flaw affecting multiple supported versions.
It also disclosed that two of the newly published vulnerabilities were publicly known before patches became available, though there is no evidence of active exploitation so far.
Patch overview
The March release addresses flaws across Windows, SQL Server, .NET and other products. The 77 vulnerabilities do not include nine browser issues Microsoft fixed earlier in the month through separate updates.
Two of the bugs disclosed this Patch Tuesday were already public. Neither appears on the US Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities list at this stage.
SQL Server risk
The most prominent issue in the latest batch affects SQL Server. Patches are available for CVE-2026-21262, an elevation-of-privilege vulnerability affecting current and older releases, from SQL Server 2025 back to SQL Server 2016 Service Pack 3.
The flaw has a CVSS v3 base score of 8.8, just below Microsoft's "critical" range because an attacker must already have low-level privileges. The advisory says an authorised attacker could gain sysadmin-level rights over the database engine across a network.
"SQL Server often goes several months in a row without any mention on Patch Tuesday. Today, however, all versions from the latest and greatest SQL Server 2025 back as far as SQL Server 2016 SP3 receive patches for CVE-2026-21262, a SQL Server elevation of privilege vulnerability. This isn't just any elevation of privilege vulnerability, either; the advisory notes that an authorised attacker can elevate privileges to sysadmin over a network. The CVSS v3 base score of 8.8 is just below the threshold for critical severity, since low-level privileges are required," said Adam Barnett, Lead Software Engineer, Rapid7.
Microsoft confirmed that details of the SQL Server issue are public and rated exploitation as less likely. Security researchers say public disclosure still increases the urgency for administrators.
Many organisations do not expose SQL Server directly to the public internet. However, internet-wide scanning tools still show large numbers of accessible SQL Server instances, raising the potential impact if attackers develop reliable exploits for CVE-2026-21262.
Attackers who obtain sysadmin privileges could access or alter data. They could also pivot to the underlying operating system through features such as the xp_cmdshell stored procedure. Microsoft disables xp_cmdshell by default in supported versions, but a sysadmin can re-enable it quickly.
Security teams often run SQL Server under restricted service accounts. Some incident response investigations have found broader privileges configured in practice, increasing the risk that a compromise could extend to the host system.
Older SQL Server editions that receive Extended Security Updates, including SQL Server 2014 and SQL Server 2012, are not listed as affected. Microsoft has not said whether the flaw is limited to newer code branches.
.NET denial-of-service
Another notable issue this month is CVE-2026-26127, which affects .NET applications and could lead to a denial-of-service condition. Microsoft has also acknowledged public disclosure of this vulnerability.
Exploitation is likely to cause service crashes. This can create short windows when monitoring tools, log shippers, or security agents are not functioning. Attackers could combine this with other activity to try to avoid detection during restart periods.
Repeated exploitation by low-skilled attackers could also create availability problems for online services and may cause organisations to breach service-level agreements.
Authenticator concern
Microsoft has also fixed CVE-2026-26123 in the Microsoft Authenticator mobile app for iOS and Android. The vulnerability involves custom URL schemes and improper authorisation, as classified under CWE-939.
Authenticator often runs on personal devices in bring-your-own-device environments and provides multi-factor authentication codes for corporate and production services. That raises the stakes if an attacker can interfere with app selection during sign-in.
The flaw has a CVSS v3 base score of 5.5 and requires user interaction: the user must choose a malicious application to handle the sign-in flow. Despite the moderate score, Microsoft rates the bug as important on its internal severity scale.
If exploited, a malicious app could impersonate Microsoft Authenticator and intercept information during authentication. An attacker could then impersonate the user in downstream services. The advisory notes that "Cwe is not in rca", offering limited insight into the internal root cause analysis.
Organisations that manage mobile devices with enterprise mobility tools may want to review how they control app installation and default handler settings for authentication apps. Policies can restrict which applications handle sensitive sign-in flows.
Lifecycle changes
Microsoft reported no broad product lifecycle milestones this month. The main change affects a specialised data warehousing platform: SQL Server 2012 Parallel Data Warehouse will move beyond extended support at the end of March, after an earlier six-month reprieve.
Customers still running SQL Server 2012 Parallel Data Warehouse will no longer receive security updates once extended support ends.