Microsoft released a significant batch of security patches on Tuesday, addressing 84 new vulnerabilities across its software ecosystem. This comprehensive update includes fixes for two publicly known zero-day exploits, underscoring the ongoing threat landscape for businesses and individuals. The release marks a critical moment for IT professionals to ensure their systems are protected against potential attacks.
The latest Patch Tuesday update comprises 8 critical and 76 important vulnerabilities, covering a wide range of exploit types. Among the most concerning are flaws that allow for privilege escalation, remote code execution, and information disclosure. These updates are in addition to the 10 vulnerabilities already patched in Microsoft’s Chromium-based Edge browser since the February 2026 update.
Microsoft’s Urgent Patch Tuesday Addresses Critical Vulnerabilities
The 84 security flaws addressed in this month’s Patch Tuesday are a stark reminder of the constant battle to secure digital infrastructure. Microsoft has categorized eight of these vulnerabilities as Critical, meaning they pose an immediate and severe risk if exploited. The remaining 76 are rated as Important, still requiring prompt attention to mitigate potential damage.
The patches target a diverse array of exploit types, with privilege escalation vulnerabilities leading the pack at 46. These allow attackers to gain higher-level access to systems they have already compromised. Following closely are 18 remote code execution flaws, enabling attackers to run arbitrary code on a vulnerable system. Additionally, 10 information disclosure vulnerabilities, four spoofing flaws, four denial-of-service bugs, and two security feature bypass vulnerabilities have been addressed.
Zero-Day Exploits and High-Impact Flaws
Two zero-day vulnerabilities, meaning they were known to be exploited in the wild before Microsoft could issue a fix, are a particular focus of this release. CVE-2026-26127, a denial-of-service vulnerability in .NET with a CVSS score of 7.5, is one. The other, CVE-2026-21262, is an elevation of privilege vulnerability in SQL Server with a higher CVSS score of 8.8.
The vulnerability with the highest severity rating in this update is a critical remote code execution flaw in the Microsoft Devices Pricing Program, tracked as CVE-2026-21536. This flaw carries a CVSS score of 9.8, indicating a very high risk. Microsoft has stated that this vulnerability has been fully mitigated and no user action is required, a testament to the swift response by the company’s security teams and credit to AI-powered vulnerability discovery platforms like XBOW.
Satnam Narang, senior staff research engineer at Tenable, highlighted that over half of this month’s Patch Tuesday CVEs (55%) were privilege escalation bugs. He noted that six of these were rated as having a higher likelihood of exploitation, affecting components like the Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server, and Winlogon. Narang explained that these types of bugs are typically employed by threat actors as part of post-compromise activities, after gaining initial access through other vectors like social engineering or the exploitation of different vulnerabilities.
One specific privilege escalation flaw, CVE-2026-25187 related to Winlogon, has a CVSS score of 7.8. This vulnerability reportedly leverages improper link resolution to escalate privileges to the SYSTEM level. Google Project Zero researcher James Forshaw is credited with reporting this issue. According to Jacob Ashdown, a cybersecurity engineer at Immersive, this flaw allows a locally authenticated attacker with low privileges to gain elevated SYSTEM privileges without user interaction and with low attack complexity, making it an attractive target for attackers who have already established a presence on a system.
Another vulnerability drawing attention is CVE-2026-26118, a server-side request forgery (SSRF) bug in the Azure Model Context Protocol (MCP) server. This flaw, with a CVSS score of 8.8, could enable an authorized attacker to escalate privileges remotely over a network. Microsoft explained that an attacker could exploit this by sending specially crafted input to an MCP Server tool that accepts user-provided parameters. If an attacker can interact with an MCP-backed agent, they can substitute a malicious URL for a legitimate Azure resource identifier. The MCP Server would then send an outbound request to this malicious URL, potentially including its managed identity token, which the attacker could then capture without requiring administrative access.
Successful exploitation of this SSRF vulnerability could grant an attacker the permissions associated with the MCP Server’s managed identity. This could allow them to access or perform actions on any resources that the managed identity is authorized to reach, posing a significant risk to cloud environments.
Among the Critical-severity bugs is an information disclosure flaw in Excel, tracked as CVE-2026-26144. It has a CVSS score of 7.5 and is described as a cross-site scripting (XSS) vulnerability resulting from improper input neutralization during web page generation. Microsoft indicated that an attacker exploiting this flaw could potentially cause the Copilot Agent mode to exfiltrate data through a zero-click attack. Alex Vovk, CEO and co-founder of Action1, commented that such information disclosure vulnerabilities are particularly dangerous in corporate settings, where Excel files often contain sensitive financial data, intellectual property, and operational records. He warned that for organizations using AI-assisted productivity features, there might be an increased exposure risk, as automated agents could inadvertently transmit sensitive data outside corporate boundaries.
These patches arrive as Microsoft also announced a change to the default behavior of Windows Autopatch. The company is enabling hotpatch security updates by default to accelerate the security patching process for eligible devices. This adjustment will be effective for all eligible devices in Microsoft Intune and those accessed via the Microsoft Graph API starting with the May 2026 Windows security update. Microsoft stated that applying security fixes without requiring a restart can help organizations achieve 90% compliance compliance in half the time while maintaining administrative control.
As organizations assess and apply these critical patches, the focus will now shift to monitoring for any new exploit attempts related to the vulnerabilities that were not immediately patched or for which patches are still pending. The continuous stream of security vulnerabilities highlights the persistent need for robust cybersecurity practices, including regular patching, security awareness training, and effective threat detection and response mechanisms.