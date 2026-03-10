Two zero-day flaws in the form of a denial of service (DoS) issue in .NET and an elevation of privilege (EoP) issues in SQL Server top the agenda for security teams in Microsoft’s latest monthly Patch Tuesday update.

Tracked as CVE-2026-26127 and CVE-2026-21262 and carrying CVSS scores of 7.5 and 8.8 respectively, both vulnerabilities have already been made public, but neither of them is known to be exploited at the point of release, although this will not be the case for much longer.

CVE-2026-26127 arises thanks to an out-of-bounds read condition in .NET that enables an unauthenticated attacker to deny service over the network. Microsoft said that in its estimation, exploitation was frankly unlikely. CVE-2026-21262 is the result of improper access controls and is only exploitable by a threat actor who is already authorised on the network – as such Microsoft said exploitation is less likely.

However, in the opinion of Rapid7 senior software engineer Adam Barnett, in both of these instances Microsoft’s assessment may understate the potential impact of the two flaws.

“Attackers fond of low-effort denial of service attacks against .NET applications will be checking out CVE-2026-26127 today,” said Barnett. “Microsoft is aware of public disclosure. While the immediate impact of exploitation is likely contained to denial of service by triggering a crash, opportunities for other types of attacks might emerge during a service reboot.”

For example, he explained, should a log forwarder or security agent be impacted, an attacker could use this to cover up a more damaging attack, and even if they simply cause downtime, this can still be enough to cause service level agreement (SLA) breaches or revenue impacts, or, noted Barnett, cause someone to get paged while asleep.

Meanwhile, CVE-2026-21262, he said, is not “just any EoP vulnerability”.

“Microsoft is aware of public disclosure, so while they assess the likelihood of exploitation as less likely, it would be a courageous defender who shrugged and deferred the patches for this one,” said Barnett.

“Most SQL Server admins and security teams concluded many years ago that exposing SQL Server directly to the internet was not a good idea. Then again, popular search engines for internet-connected devices describe tens of thousands of SQL Server instances, and they can’t all be honeypots.”

Should an attacker obtain SQL Server admin rights, beyond stealing or fiddling with the database, they could also target for example the xp_cmdshell function – this is a stored procedure that spawns a Windows command shell in order to execute operating system commands. This function is disabled by default but can be easily enabled by an administrator, at which point the attacker would basically be able to act with the full privileges of the target instance’s security context.