Dozens of Microsoft flaws patched in latest Patch Tuesday

Updates have been issued by Microsoft to address 83 vulnerabilities across its products, including a critical remote code execution vulnerability and two publicly disclosed flaws, as part of this month's Patch Tuesday, SecurityWeek reports.

Most severe is the critical remote code execution flaw in the Devices Pricing Program, tracked as CVE-2026-21536, which Microsoft emphasized to be completely mitigated. Meanwhile, the publicly disclosed flaws include CVE-2026-21262, a privilege escalation flaw affecting SQL Server, and CVE-2026-26127, a denial-of-service vulnerability in .NET. Microsoft also patched CVE-2026-26118, which involves Azure MCP Server Tools. The issue could allow attackers to send specially crafted input to a server tool that accepts user-provided parameters, potentially causing the system to make an outbound request that exposes a managed identity token.

Ten non-Microsoft CVEs have also been fixed. Security experts highlighted several privilege escalation vulnerabilities in Windows components and multiple Azure flaws requiring non-standard patching methods, which may require additional work from IT teams.