Microsoft rolls out patch for 83 vulnerabilities

On Tuesday, Microsoft announced security patches addressing 83 vulnerabilities in its products.

While none of the bugs have been flagged as exploited, two of them have been publicly disclosed, Microsoft’s advisories reveal, News.Az reports, citing foreign media.

These include CVE-2026-26127, a denial-of-service (DoS) issue in .NET, and CVE-2026-21262, an elevation of privilege defect in SQL Server.

“These bugs are more bark than bite. The DoS vulnerability is assessed as unlikely to be exploited and requires an attacker to be authorized beforehand, while the privilege escalation bug was deemed less likely to be exploited,” Tenable researcher Satnam Narang points out.

Microsoft’s March 2026 Patch Tuesday updates resolve a single critical-severity flaw, namely CVE-2026-21536 (CVSS score of 9.8), a remote code execution weakness in Devices Pricing Program that has already been fully mitigated by the tech giant.

“There is no action for users of this service to take. The purpose of this CVE is to provide further transparency,” the company notes.

Another security defect that stands out is CVE-2026-26118, an elevation of privilege issue in Azure MCP Server Tools that could be exploited by sending specially crafted input to a server tool that accepts user-supplied parameters.

“If the attacker can interact with the MCP‑backed agent, they can submit a malicious URL in place of a normal Azure resource identifier. The MCP Server then sends an outbound request to that URL and, in doing so, may include its managed identity token. This allows the attacker to capture that token without requiring administrative access,” Microsoft notes.

Narang says that the privilege escalation bugs in Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server, and Winlogon may require attention, as such vulnerabilities are often exploited following initial access.

According to Fortra associate director Tyler Reguly, users should also pay attention to five Azure security defects addressed this month.

These include an elevation of privilege issue in Azure Linux Virtual Machines (CVE-2026-23665), and one spoofing and three information disclosure flaws in Azure IoT Explorer (CVE-2026-26121, CVE-2026-23661, CVE-2026-23662, and CVE-2026-23664).

These bugs, Reguly points out, require non-standard patching mechanisms, which may require additional effort from IT teams.

“CSOs should ensure that they have solid asset inventories around the deployment of cloud-related systems and tools, so that admins know where these things exist and when they need to be fixed. This is the best way to empower your sys admins and security teams on a quiet month like this,” Reguly said.

Microsoft also announced fixes for 10 non-Microsoft CVEs, including a flaw in Microsoft Semantic Kernel Python SDK, and nine in Microsoft Edge (which is based on Chromium).

On Tuesday, Adobe announced the rollout of patches for 80 vulnerabilities across its products, including high-severity flaws in Adobe Commerce.

News.Az 

By Ulviyya Salmanli