Microsoft on Tuesday released patches for a set of 84 new security vulnerabilities affecting various software components, including two listed as publicly known.
Of these, 8 are rated as “critical” and 76 are rated as “important.” Forty-six of the patched vulnerabilities are related to privilege escalation, followed by remote code execution (18), information disclosure (10), spoofing (4), denial of service (4), and security feature bypass flaws (2).
This fix is in addition to 10 vulnerabilities that have been addressed in the Chromium-based Edge browser since the release of the February 2026 Patch Tuesday update.
The two publicly disclosed zero-days are CVE-2026-26127, a .NET denial of service vulnerability (CVSS score: 7.5), and CVE-2026-21262, a SQL Server privilege elevation vulnerability (CVSS score: 8.8).
The vulnerability with the highest CVSS score in this month’s update is the Remote Code Execution Critical Flaw in the Microsoft Device Pricing Program. According to Microsoft, CVE-2026-21536 (CVSS score: 9.8) is fully mitigated and does not require any user action. XBOW, an autonomous vulnerability discovery platform powered by artificial intelligence (AI), is credited with discovering and reporting the issue.
“This month, more than half (55%) of all Patch Tuesday CVEs were privilege escalation bugs, six of which were rated as likely to be exploited across Windows Graphics Components, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server, and Winlogon,” said Satnam Narang, Senior Staff Research Engineer at Tenable.
“We find that these bugs are typically used by attackers as part of their post-compromise activities once they have entered the system through other means (social engineering, exploitation of another vulnerability).”
Specifically, the Winlogon privilege escalation flaw (CVE-2026-25187, CVSS score: 7.8) leverages improper link resolution to gain SYSTEM privileges. Google Project Zero researcher James Forshaw is credited with reporting this vulnerability.
“This vulnerability allows a locally authenticated attacker with low privileges to exploit the link tracing condition of the Winlogon process and escalate to SYSTEM privileges,” said Jacob Ashdown, a cybersecurity engineer at Immersive. “This vulnerability does not require user interaction and has low attack complexity, making it an easy target for attackers to gain a foothold.”
Another notable vulnerability is CVE-2026-26118 (CVSS score: 8.8). This is a server-side request forgery bug in the Azure Model Context Protocol (MCP) server that could allow an authorized attacker to escalate privileges over the network.
“An attacker could exploit this issue by sending specially crafted input to the Azure Model Context Protocol (MCP) server tool that accepts user-specified parameters,” Microsoft said.
“If an attacker is able to interact with an MCP-backed agent, they could send a malicious URL instead of a normal Azure resource identifier. The MCP server then sends an outbound request to that URL, which may include a managed identity token. This allows the attacker to obtain that token without requiring administrative access.”
Successful exploitation of this vulnerability could allow an attacker to obtain privileges associated with the managed identity of an MCP server. An attacker could use this behavior to access or perform actions on resources that the managed identity is authorized to access.
Among the high severity bugs resolved by Microsoft is an information disclosure flaw in Excel. Tracked as CVE-2026-26144 (CVSS score 7.5), it is described as a case of cross-site scripting that occurs as a result of improper invalidation of input during web page generation.
The Windows maker said that an attacker could exploit this flaw to exfiltrate data in Copilot Agent mode as part of a zero-click attack.
“Information disclosure vulnerabilities are especially dangerous in corporate environments, where Excel files often contain financial data, intellectual property, and business records,” Alex Vovk, CEO and co-founder of Action1, said in a statement.
“If exploited, an attacker could silently extract sensitive information from internal systems without any obvious warning. Organizations using AI-assisted productivity features are at increased risk as automated agents may unintentionally send sensitive data outside the corporate perimeter.”
The patch comes after Microsoft announced that it would change the default behavior of Windows Autopatch by enabling hotpatch security updates to help secure devices at a faster pace.
“This change in default behavior will apply to all devices targeted by Microsoft Intune and devices that access the service via the Microsoft Graph API starting with the May 2026 Windows Security Update,” Redmond said. “By applying security fixes without waiting for a reboot, organizations can achieve 90% compliance in half the time while maintaining control.”
Source link
