Microsoft on Tuesday launched patches for a set of 84 new safety vulnerabilities affecting varied software program parts, together with two which have been listed as publicly identified.
Of those, eight are rated Essential, and 76 are rated Necessary in severity. Forty-six of the patched vulnerabilities relate to privilege escalation, adopted by 18 distant code execution, 10 data disclosure, 4 spoofing, 4 denial-of-service, and two safety function bypass flaws.
The fixes are along with 10 vulnerabilities which have been addressed in its Chromium-based Edge browser because the launch of the February 2026 Patch Tuesday replace.
The 2 publicly disclosed zero-days are CVE-2026-26127 (CVSS rating: 7.5), a denial-of-service vulnerability in .NET, and CVE-2026-21262 (CVSS rating: 8.8), an elevation of privilege vulnerability in SQL Server.
The vulnerability with the best CVSS rating on this month’s replace is a crucial distant code execution flaw within the Microsoft Units Pricing Program. CVE-2026-21536 (CVSS rating: 9.8), per Microsoft, has been absolutely mitigated, and no motion is required from customers. Synthetic intelligence (AI)-powered autonomous vulnerability discovery platform XBOW has been credited with discovering and reporting the problem.
“This month, over half (55%) of all Patch Tuesday CVEs have been privilege escalation bugs, and of these, six have been rated exploitation extra seemingly throughout Home windows Graphics Element, Home windows Accessibility Infrastructure, Home windows Kernel, Home windows SMB Server, and Winlogon,” Satnam Narang, senior employees analysis engineer at Tenable, stated.
“We all know these bugs are usually utilized by risk actors as a part of post-compromise exercise, as soon as they get onto methods by different means (social engineering, exploitation of one other vulnerability).”
The Winlogon privilege escalation flaw (CVE-2026-25187, CVSS rating: 7.8), particularly, leverages improper hyperlink decision to acquire SYSTEM privileges. Google Mission Zero researcher James Forshaw has been acknowledged for reporting the vulnerability.
“The flaw permits a domestically authenticated attacker with low privileges to take advantage of a link-following situation within the Winlogon course of and escalate to SYSTEM privileges,” Jacob Ashdown, cybersecurity engineer at Immersive, stated. “The vulnerability requires no consumer interplay and has low assault complexity, making it a simple goal as soon as an attacker features a foothold.”
One other vulnerability of be aware is CVE-2026-26118 (CVSS rating: 8.8), a server-side request forgery bug within the Azure Mannequin Context Protocol (MCP) server that would permit a licensed attacker to raise privileges over a community.
“An attacker may exploit this subject by sending specifically crafted enter to an Azure Mannequin Context Protocol (MCP) Server device that accepts consumer‑offered parameters,” Microsoft stated.
“If the attacker can work together with the MCP‑backed agent, they’ll submit a malicious URL instead of a standard Azure useful resource identifier. The MCP Server then sends an outbound request to that URL and, in doing so, could embrace its managed identification token. This enables the attacker to seize that token with out requiring administrative entry.”
Profitable exploitation of the vulnerability may allow an attacker to acquire the permissions related to the MCP Server’s managed identification. The attacker may then leverage this habits to entry or carry out actions on any assets that the managed identification is permitted to achieve.
Among the many Essential-severity bugs resolved by Microsoft is an data disclosure flaw in Excel. Tracked as CVE-2026-26144 (CVSS rating of seven.5), it has been described as a case of cross-site scripting that happens because of improper neutralization of enter throughout net web page technology.
The Home windows maker stated an attacker who exploited the shortcoming may doubtlessly trigger Copilot Agent mode to exfiltrate knowledge as a part of a zero-click assault.
“Info disclosure vulnerabilities are particularly harmful in company environments the place Excel information typically include monetary knowledge, mental property, or operational information,” Alex Vovk, CEO and co-founder of Action1, stated in an announcement.
“If exploited, attackers may silently extract confidential data from inner methods with out triggering apparent alerts. Organizations utilizing AI-assisted productiveness options could face elevated publicity, as automated brokers may unintentionally transmit delicate knowledge outdoors company boundaries.”
The patches come as Microsoft stated it is altering the default habits of Home windows Autopatch by enabling hotpatch safety updates to assist safe units at a quicker tempo.
“This variation in default habits involves all eligible units in Microsoft Intune and people accessing the service by way of Microsoft Graph API beginning with the Might 2026 Home windows safety replace,” Redmond stated. “Making use of safety fixes with out ready for a restart can get organizations to 90% compliance in half the time, whilst you stay in management.”
