• This is an IT Support Group
  • Posts
  • March Patch Tuesday: 79 Bugs, 46 Privilege Escalations, and a Copilot That Snitches on Your Spreadsheets

March Patch Tuesday: 79 Bugs, 46 Privilege Escalations, and a Copilot That Snitches on Your Spreadsheets

Author

Stetson Blake
March 30, 2026

In partnership with

Happy Monday. Microsoft dropped 79 patches earlier this month, and if you haven't rolled them out yet, this is your sign. Two zero-days, 46 privilege escalation bugs, and one vulnerability that lets an AI assistant steal your data without you clicking a thing.

Let's break it down.

The Number That Should Scare You: 55%

More than half of this month's CVEs — 46 out of 79 — are privilege escalation vulnerabilities. That's not normal. That means attackers who get a toehold on your network have nearly four dozen potential paths to SYSTEM-level access.

The worst offenders are in the Windows Kernel (CVE-2026-24289, CVE-2026-26132), Windows SMB Server (CVE-2026-24294), and Windows Graphics (CVE-2026-23668). All are use-after-free or improper access control bugs, all let authenticated users escalate to SYSTEM, and Microsoft flagged all of them as "exploitation more likely."

Translation: if an attacker is already inside your perimeter — phishing, stolen creds, whatever — these bugs are the escalator to full domain compromise.

The Two Zero-Days

Neither was actively exploited at release (first time in six months — small miracle), but both were publicly disclosed before patches shipped.

CVE-2026-21262 — SQL Server Elevation of Privilege (CVSS 8.8)
A low-privileged SQL user can escalate to full sysadmin. That means complete database control: read everything, modify anything, create new logins, and establish persistence. If you run SQL Server and haven't patched, assume you're one compromised service account away from a very bad day.

CVE-2026-26127 — .NET Denial of Service (CVSS 7.5)
An out-of-bounds read in Base64Url decoding that crashes .NET 9.0 and 10.0 apps. No auth required, remotely triggerable. Microsoft says exploitation is "unlikely," but the code is public now, so that assessment has a shelf life.

The One Nobody's Talking About Enough

CVE-2026-26144 might be the most fascinating vulnerability Microsoft has ever patched.

It's an Excel Copilot data exfiltration bug. Zero-click. An attacker crafts a spreadsheet that, when opened by someone with Copilot Agent mode enabled, tricks the AI into autonomously exfiltrating the spreadsheet's data over the network. No macros. No user interaction. The AI does the stealing for you.

Read that again. The security vulnerability is the AI assistant.

This is the first major CVE in the "weaponized AI agent" category, and it won't be the last. If your org has rolled out Copilot broadly, this one needs to be at the top of your patch list — and it should prompt a conversation about what permissions your AI tools actually have.

88% resolved. 22% stayed loyal. What went wrong?

That's the AI paradox hiding in your CX stack. Tickets close. Customers leave. And most teams don't see it coming because they're measuring the wrong things.

Efficiency metrics look great on paper. Handle time down. Containment rate up. But customer loyalty? That's a different story — and it's one your current dashboards probably aren't telling you.

Gladly's 2026 Customer Expectations Report surveyed thousands of real consumers to find out exactly where AI-powered service breaks trust, and what separates the platforms that drive retention from the ones that quietly erode it.

If you're architecting the CX stack, this is the data you need to build it right. Not just fast. Not just cheap. Built to last.

What About the Office Bugs?

Six remote code execution vulnerabilities across Office and Excel (CVE-2026-26110, CVE-2026-26113, and four more in Excel). The nastiest part: the Office Preview Pane can trigger them. That means simply selecting an email attachment in Outlook — without opening it — could execute arbitrary code.

CVSS 8.4 on the worst ones. Patch these before your users come back from lunch.

Your Monday Morning Checklist

Patch now (Priority 1):

  • SQL Server — CVE-2026-21262 (the sysadmin escalation)

  • Office/Excel — all six RCE bugs, especially if Preview Pane is enabled

  • Excel Copilot — CVE-2026-26144 (if you've deployed Copilot)

  • .NET apps exposed to the internet — CVE-2026-26127

Patch this week (Priority 2):

  • Windows Kernel EoP bugs (CVE-2026-24289, CVE-2026-26132)

  • SMB Server EoP (CVE-2026-24294)

  • Windows Graphics EoP (CVE-2026-23668)

Watch for stability issues: The Windows 11 cumulative update (KB5079473) has reports of system freezes, BSoDs, and installation rollback loops. Stage your rollout with a pilot group first, and keep your rollback automation ready.

The Bigger Picture

February's Patch Tuesday had 6 actively exploited zero-days. March has zero — which feels like a breather until you look at the 55% privilege escalation ratio. Attackers aren't finding new doors this month; they're finding better staircases once they're inside.

And the Copilot bug? That's a preview of a whole new vulnerability class. When your AI tools can act autonomously on data, every trust boundary needs to be re-examined. We'll be writing a lot more about this category in the months ahead.

Stay patched. Stay paranoid. See you Wednesday.