Overview
- Microsoft addressed roughly 79–84 CVEs across Windows, Office, .NET, SQL Server and Azure, with no vulnerabilities confirmed as actively exploited, marking the first month without active exploited zero‑days in six months.
- Two previously disclosed issues were patched: CVE‑2026‑26127, a .NET denial‑of‑service bug, and CVE‑2026‑21262, a SQL Server elevation‑of‑privilege flaw that can grant sysadmin privileges.
- Elevation‑of‑privilege dominated the release, with multiple bugs rated “exploitation more likely” in Windows Graphics, Kernel, SMB Server, Winlogon and the Accessibility Infrastructure.
- A critical Excel bug, CVE‑2026‑26144, enables zero‑click data exfiltration by causing Copilot Agent mode to send data externally, while Office RCE flaws CVE‑2026‑26110 and CVE‑2026‑26113 can be triggered via the Preview Pane.
- Microsoft said several cloud issues were mitigated server‑side, including the high‑severity Devices Pricing Program RCE (CVE‑2026‑21536), as advisories also flagged Azure MCP server token exposure risk (CVE‑2026‑26118) and ACI Confidential Containers fixes requiring no customer action.