By Tyler Reguly, Associate Director, Security R&D, Fortra
I’m sure that everyone will be talking about CVE-2026-26118 today. After all, it contains those magical three letters MCP – Must Create Panic! The old adage has changed a little these days to become, “AI sells,”, so that’s what everyone needs to talk about. The reality is that there’s an update available, this was never publicly disclosed, and Microsoft lists exploitation as less likely. So, instead of trying to create panic, I’m going to keep a level head and say that this is a great reminder for all CSOs to make sure they know how AI is being used within their organization. Instead of worrying about a single CVE that we don’t really need to talk about, look at your organizations AI policy, look at your tooling, and look at how your data is flowing. If you know that, you’re fine. If not, shadow AI might be the actual reason that you need to panic and that’s not a Patch Tuesday thing, that’s just an everyday thing.
Let’s agree to call this the month of no 0-days. I’m sure some people will try to call the two publicly disclosed vulnerabilities 0-days, but they’re wrong… and let’s just leave it at that. Instead, let’s talk about how even the publicly disclosed vulnerabilities are pretty much nothingburgers this month. We have CVE-2026-21262, which is a privilege escalation in SQL Server, but you have to already be an authenticated SQL user to exploit this. The other, CVE-2026-26127, is a .NET denial of service. Neither of these are very important. Neither of them should stress anybody out.
In total this month, we have 83 Microsoft CVEs and 10 non-Microsoft CVEs and I don’t see a lot of reasons for people to stress. The only CVE above an 8.8 is CVE-2026-21536, a 9.8 in Microsoft Devices Pricing Program, a vulnerability that is marked as no customer action required because it is already updated. The messaging this month should be, “Apply your patches after you finish your testing cycles.” There’s nothing that requires rushing patches, nothing that requires panic… this is just a nice, quiet Patch Tuesday (and I definitely won’t regret using the Q-word).
The only thing that people may want to pay close attention to is the Azure vulnerabilities. As I’ve mentioned before, the cloud ecosystem doesn’t really handle patching well… it’s a relatively immature process and the way that Microsoft handles these products really demonstrates that. The CVE impacting Azure Linux Virtual Machines (CVE-2026-23665) or the multiple CVEs impacting Azure IoT Explorer require pretty non-standard patching mechanisms and those may require a little additional effort from IT teams. CSOs should ensure that they have solid asset inventories around the deployment of cloud related systems and tools, so that admins know where these things exist and when they need to be fixed. This is the best way to empower your sys admins and security teams on a quiet month like this.
Like this:
Like Loading...
Related
This entry was posted on March 10, 2026 at 2:26 pm and is filed under Commentary with tags Fortra. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
March Patch Tuesday Commentary From Fortra
By Tyler Reguly, Associate Director, Security R&D, Fortra
I’m sure that everyone will be talking about CVE-2026-26118 today. After all, it contains those magical three letters MCP – Must Create Panic! The old adage has changed a little these days to become, “AI sells,”, so that’s what everyone needs to talk about. The reality is that there’s an update available, this was never publicly disclosed, and Microsoft lists exploitation as less likely. So, instead of trying to create panic, I’m going to keep a level head and say that this is a great reminder for all CSOs to make sure they know how AI is being used within their organization. Instead of worrying about a single CVE that we don’t really need to talk about, look at your organizations AI policy, look at your tooling, and look at how your data is flowing. If you know that, you’re fine. If not, shadow AI might be the actual reason that you need to panic and that’s not a Patch Tuesday thing, that’s just an everyday thing.
Let’s agree to call this the month of no 0-days. I’m sure some people will try to call the two publicly disclosed vulnerabilities 0-days, but they’re wrong… and let’s just leave it at that. Instead, let’s talk about how even the publicly disclosed vulnerabilities are pretty much nothingburgers this month. We have CVE-2026-21262, which is a privilege escalation in SQL Server, but you have to already be an authenticated SQL user to exploit this. The other, CVE-2026-26127, is a .NET denial of service. Neither of these are very important. Neither of them should stress anybody out.
In total this month, we have 83 Microsoft CVEs and 10 non-Microsoft CVEs and I don’t see a lot of reasons for people to stress. The only CVE above an 8.8 is CVE-2026-21536, a 9.8 in Microsoft Devices Pricing Program, a vulnerability that is marked as no customer action required because it is already updated. The messaging this month should be, “Apply your patches after you finish your testing cycles.” There’s nothing that requires rushing patches, nothing that requires panic… this is just a nice, quiet Patch Tuesday (and I definitely won’t regret using the Q-word).
The only thing that people may want to pay close attention to is the Azure vulnerabilities. As I’ve mentioned before, the cloud ecosystem doesn’t really handle patching well… it’s a relatively immature process and the way that Microsoft handles these products really demonstrates that. The CVE impacting Azure Linux Virtual Machines (CVE-2026-23665) or the multiple CVEs impacting Azure IoT Explorer require pretty non-standard patching mechanisms and those may require a little additional effort from IT teams. CSOs should ensure that they have solid asset inventories around the deployment of cloud related systems and tools, so that admins know where these things exist and when they need to be fixed. This is the best way to empower your sys admins and security teams on a quiet month like this.
Share this:
Like this:
Related
This entry was posted on March 10, 2026 at 2:26 pm and is filed under Commentary with tags Fortra. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.