Microsoft released patches for 84 new vulnerabilities in its May 2026 update, including two publicly disclosed zero-days (CVE-2026-26127 in .NET and CVE-2026-21262 in SQL Server), with eight rated Critical and 76 rated Important addressing many privilege escalation and remote code execution issues. Notable fixes include a mitigated CVE-2026-21536 (9.8 RCE) in the Microsoft Devices Pricing Program discovered by XBOW, a Winlogon privilege escalation CVE-2026-25187 reported by James Forshaw, and an Azure MCP SSRF CVE-2026-26118 that can expose managed identity tokens, while Microsoft is enabling hotpatch updates via Windows Autopatch for faster deployment. #Winlogon #AzureMCP
Keypoints
- Microsoft patched 84 vulnerabilities, including two publicly disclosed zero-days (CVE-2026-26127 and CVE-2026-21262).
- Eight flaws are Critical and 76 are Important, with 46 relating to privilege escalation and 18 to remote code execution.
- The highest-scoring issue, CVE-2026-21536 (CVSS 9.8) in the Microsoft Devices Pricing Program, was discovered by XBOW and fully mitigated by Microsoft.
- The Winlogon privilege escalation (CVE-2026-25187) allows local attackers to obtain SYSTEM privileges without user interaction and was reported by James Forshaw.
- Azure MCP SSRF (CVE-2026-26118) can leak managed identity tokens, and Microsoft is enabling hotpatches via Windows Autopatch and Intune to accelerate fixes.
Read More: https://thehackernews.com/2026/03/microsoft-patches-84-flaws-in-march.html