An AI agent found it without ever reading the source code. CVE-2026-21536, a remote code execution flaw rated 9.8 on the CVSS severity scale, was discovered by XBOW — a fully autonomous AI penetration testing agent that has ranked at or near the top of the HackerOne bug bounty leaderboard for the past year. The vulnerability sits inside a component called the Microsoft Devices Pricing Program, and Microsoft has already resolved it on its end, requiring no action from Windows users.
Ben McCarthy, lead cybersecurity engineer at Immersive, describes it as one of the first vulnerabilities identified by an AI agent and officially recognized with a CVE attributed to the Windows operating system. “Although Microsoft has already patched and mitigated the vulnerability, it highlights a shift toward AI-driven discovery of complex vulnerabilities at increasing speed,” McCarthy said. “This development suggests AI-assisted vulnerability research will play a growing role in the security landscape.”
What Needs Patching First
That finding arrived inside a broader March Patch Tuesday push covering at least 77 vulnerabilities across Windows and related software, according to the announcement. No zero-days appear this month — a quieter picture than February’s five. But several patches still warrant fast attention from enterprise teams.
Just over half — 55% — of this month’s CVEs are privilege escalation bugs, and six of those carry a rating of “exploitation more likely,” spanning the Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server, and Winlogon. Four carry a CVSS score of 7.8:
- CVE-2026-24291: Incorrect permission assignments in Windows Accessibility Infrastructure, reaching SYSTEM level
- CVE-2026-24294: Improper authentication in the core SMB component
- CVE-2026-24289: Memory corruption and race condition flaw
- CVE-2026-25187: Winlogon process weakness discovered by Google Project Zero
Two of the patched flaws were publicly disclosed before today. CVE-2026-21262 allows an attacker to elevate privileges to sysadmin on SQL Server 2016 and later editions over a network, carrying a CVSS score of 8.8. Rapid7‘s Adam Barnett put it plainly: “It would be a courageous defender who shrugged and deferred the patches for this one.” The second, CVE-2026-26127, affects applications running on .NET and can trigger a denial-of-service crash, with the potential for additional attack types during a service reboot.
Office Preview Pane and Out-of-Band Fixes
Two critical remote code execution flaws — CVE-2026-26113 and CVE-2026-26110 — can be triggered simply by viewing a booby-trapped message in the Microsoft Office Preview Pane. No file needs to be opened.
More Read
Separately, Microsoft issued an emergency out-of-band update on March 2 for Windows Server 2022 to address a certificate renewal problem with Windows Hello for Business passwordless authentication. Nine browser vulnerability patches were also delivered ahead of today’s cycle and are not counted in the 77.
Outside the Windows ecosystem, Adobe shipped fixes for 80 vulnerabilities across products including Acrobat and Adobe Commerce, and Mozilla Firefox version 148.0.2 resolves three high-severity CVEs.
Photo by Tima Miroshnichenko on Pexels
This article is a curated summary based on third-party sources. Source: Read the original article
