Overview
Microsoft has released security updates addressing multiple vulnerabilities as part of the March 2026 Patch Tuesday. Two of which are zero-days that have previously been publicly disclosed and another two being marked as critical.
CVE-2026-21262 – SQL Server Elevation of Privilege CVSS v3: 8.8 (High)
An improper access control vulnerability in Microsoft SQL Server that allows an authorised attacker to elevate their privileges across the network, potentially gaining system admin rights. This can enable further actions on the SQL Server, including executing commands with high-level privileges and accessing sensitive data.
Affected Versions: 13.0.0 < 13.0.6480.4
CVE-2026-26127 - .NET Denial of Service CVSS v3: 7.5 (High)
A vulnerability that occurs in the Base64Url decoder used by .NET 9.0, .NET 10.0, and the standalone Microsoft.Bcl.Memory NuGet package. When a program tries to decode a maliciously crafted Base64Url string, the decoder can read memory outside of its intended bounds. This unsafe access causes the application to crash, leading to a Denial of Service.
Affected Versions: 10.0.0 < 10.0.4
CVE-2026-21536 – Microsoft Devices Pricing Program Remote Code Execution CVSS v3: 9.8 (Critical)
A vulnerability stemming from an unrestricted file upload flaw, which enable attackers to upload dangerous file types that the system automatically processes. This can be exploited remotely over the network without requiring any special privileges or user interaction.
Affected Versions: All installations of the Microsoft Devices Pricing Program
CVE-2026-3381 – Compress::Raw::Zlib versions through 1.219 for Perl use Potentially Insecure Versions of zlib CVSS v3: 9.8 (Critical)
CompressZlib versions include their own copy of the zlib library, which contains security weaknesses identified during audits. Exploiting this vulnerability could allow attackers to perform network-based attacks without requiring any user interaction or special privileges, potentially leading to full system compromise including data leaks, modification, or service disruption.
Affected Versions: =< 2.219
Apple has released emergency security updates for iOS and iPadOS. Four high-severity security patches were included and are targeted at legacy Apple devices that don’t support iOS 16 and iOS 17 versions.
CVE-2023-41974 – Kernel Use-After-Free Arbitrary Code Execution CVSS v3: 7.8 (High)
A flaw in the iOS kernel where improper memory handling could allow a malicious app to execute arbitrary code with kernel-level privileges.
Affected Versions: iOS 15.8.7
CVE-2024-23222 – WebKit Arbitrary Code Execution CVSS v3: 8.8 (High)
A WebKit bug where crafted web content could trigger type confusion, allowing attackers to achieve arbitrary code execution via a malicious webpage.
Affected Versions: iOS 15.8.7
CVE-2023-43000 – Kernel Use-After-Free Memory Corruption CVSS v3: 8.8 (High)
A use-after-free vulnerability in WebKit that could lead to memory corruption when a user visits harmful web pages, enabling potential code execution.
Affected Versions: iOS 15.8.7
CVE-2023-43010 – WebKit Memory Corruption CVSS v3: 8.8 (High)
Another WebKit memory handling flaw where malicious web content could cause memory corruption, forming part of the attack chain used in Coruna exploit kit campaigns.
Affected Versions: iOS 15.8.7
Recommended Action
Organisations are encouraged to review the appropriate security advisory pages and apply the updates:
Microsoft – Security Releases (March 2026)
Apple – Security Releases (March 2026)
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.