Two zero-day flaws in the form of a denial of service (DoS) issue in .NET and an elevation of privilege (EoP) issues in SQL Server top the agenda for security teams in Microsoft’s latest monthly Patch Tuesday update.
Tracked as CVE-2026-26127 and CVE-2026-21262 and carrying CVSS scores of 7.5 and 8.8 respectively, both vulnerabilities have already been made public, but neither of them is known to be exploited at the point of release, although this will not be the case for much longer.
CVE-2026-26127 arises thanks to an out-of-bounds read condition in .NET that enables an unauthenticated attacker to deny service over the network. Microsoft said that in its estimation, exploitation was frankly unlikely. CVE-2026-21262 is the result of improper access controls and is only exploitable by a threat actor who is already authorised on the network – as such Microsoft said exploitation is less likely.
However, in the opinion of Rapid7 senior software engineer Adam Barnett, in both of these instances Microsoft’s assessment may understate the potential impact of the two flaws.
“Attackers fond of low-effort denial of service attacks against .NET applications will be checking out CVE-2026-26127 today,” said Barnett. “Microsoft is aware of public disclosure. While the immediate impact of exploitation is likely contained to denial of service by triggering a crash, opportunities for other types of attacks might emerge during a service reboot.”
For example, he explained, should a log forwarder or security agent be impacted, an attacker could use this to cover up a more damaging attack, and even if they simply cause downtime, this can still be enough to cause service level agreement (SLA) breaches or revenue impacts, or, noted Barnett, cause someone to get paged while asleep.
Meanwhile, CVE-2026-21262, he said, is not “just any EoP vulnerability”.
“Microsoft is aware of public disclosure, so while they assess the likelihood of exploitation as less likely, it would be a courageous defender who shrugged and deferred the patches for this one,” said Barnett.
“Most SQL Server admins and security teams concluded many years ago that exposing SQL Server directly to the internet was not a good idea. Then again, popular search engines for internet-connected devices describe tens of thousands of SQL Server instances, and they can’t all be honeypots.”
Should an attacker obtain SQL Server admin rights, beyond stealing or fiddling with the database, they could also target for example the xp_cmdshell function – this is a stored procedure that spawns a Windows command shell in order to execute operating system commands. This function is disabled by default but can be easily enabled by an administrator, at which point the attacker would basically be able to act with the full privileges of the target instance’s security context.
Critical flaws draw attention
This month’s Patch Tuesday update also brings a total of eight critically rated vulnerabilities from Microsoft, three of them affecting Microsoft ACI Confidential Containers. This group also includes three remote code execution (RCE) vulnerabilities, two in Microsoft Office and one in the Microsoft Devices Pricing Programme.
The two Microsoft Office RCE flaws are CVE-2026-26110, which arises from a type confusion issue in which the application accesses a resource using an incompatible data type, causing incorrect memory handling, and CVE-2026-26113, which arises from an untrusted pointer dereference issue in which Office incorrectly handles memory pointers, enabling an attacker to manipulate how the application accesses memory.
“Remote code execution vulnerabilities in productivity software represent a high-risk threat for organisations,” said Jack Bicer, vulnerability research director at Action1. “If exploited, attackers could gain control of employee systems, deploy ransomware, steal sensitive documents, or establish persistent access within corporate networks.
“Because Office documents are frequently shared internally and externally, malicious files could spread quickly across organisations, potentially turning a single compromised system into an entry point for wider network compromise.
Bicer added: “If the security update cannot be applied immediately, organisations should disable the Preview Pane in file explorers and restrict the opening of Office files from untrusted sources. Implementing email filtering, attachment scanning, and endpoint protection monitoring can also reduce the risk of malicious document delivery.”
