Microsoft has rolled out security updates addressing 84 new vulnerabilities across multiple software components, with two of them publicly disclosed.
Of these vulnerabilities, eight are classified as Critical and 76 as Important. Most patches (46) relate to privilege escalation, followed by 18 remote code execution flaws, 10 information disclosure issues, four spoofing weaknesses, four denial-of-service bugs, and two security feature bypasses.
These updates supplement ten vulnerabilities already resolved in Microsoft’s Chromium-based Edge browser since the February 2026 Patch Tuesday release.
Publicly Known Zero-Day Vulnerabilities
The two publicly disclosed zero-days include:
- CVE-2026-26127 (CVSS 7.5): a denial-of-service vulnerability in .NET
- CVE-2026-21262 (CVSS 8.8): a privilege escalation issue in SQL Server
The highest-rated vulnerability this month is a critical remote code execution flaw in the Microsoft Devices Pricing Program (CVE-2026-21536, CVSS 9.8). Microsoft confirmed the issue has been fully mitigated, requiring no action from users. The discovery was credited to XBOW, an AI-driven autonomous vulnerability detection platform.
Privilege Escalation Remains a Major Threat
According to Satnam Narang, senior staff research engineer at Tenable, “Over half (55%) of this month’s Patch Tuesday vulnerabilities involve privilege escalation, six of which are considered more likely to be exploited across Windows Graphics Component, Accessibility Infrastructure, Kernel, SMB Server, and Winlogon.”
These vulnerabilities are often exploited by attackers post-compromise, after gaining initial access through social engineering or other flaws.
Notable Vulnerabilities
- Winlogon Privilege Escalation (CVE-2026-25187, CVSS 7.8): Allows locally authenticated users to escalate to SYSTEM privileges without user interaction. Google Project Zero researcher James Forshaw reported the flaw.
- Azure Model Context Protocol Server (CVE-2026-26118, CVSS 8.8): A server-side request forgery vulnerability that could let attackers obtain managed identity permissions by sending crafted input to the MCP server.
- Excel Information Disclosure (CVE-2026-26144, CVSS 7.5): A cross-site scripting flaw that could cause AI-powered Copilot Agent to leak sensitive corporate data silently.
Faster Security Updates with Windows Autopatch
Microsoft is also adjusting the default behavior of Windows Autopatch by enabling hotpatch security updates. This allows devices to receive security fixes faster, without waiting for a restart. The change will apply to eligible devices in Microsoft Intune and those using Microsoft Graph API starting May 2026. Microsoft claims this approach can achieve 90% compliance in half the usual time while keeping administrators in control.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
