For March, Patch Tuesday delivers fixes for 83 vulnerabilities
CVE-2026-24289, CVE-2026-26132 — Windows Kernel — Elevation of privilege (CVSS 7.8); memory corruption and use-after-free conditions enabling SYSTEM escalation from a local authenticated session.
CVE-2026-25187 — Winlogon — Elevation of privilege (CVSS 7.
Google warns of two actively exploited Chrome zero days
CVE-2026-24289, CVE-2026-26132 — Windows Kernel — Elevation of privilege (CVSS 7.8); memory corruption and use-after-free conditions enabling SYSTEM escalation from a local authenticated session.
CVE-2026-25187 — Winlogon — Elevation of privilege (CVSS 7.8); discovered by Google Project Zero. Given Winlogon’s position in the authentication path, this is a high-value target for post-exploitation.
CVE-2026-24294 — Windows SMB Server — Elevation of privilege (CVSS 7.8); authentication flaw allowing privilege escalation on systems with SMB enabled.
CVE-2026-24291 — Windows Accessibility Infrastructure (ATBroker.exe) — Elevation of privilege (CVSS 7.8).
CVE-2026-23668 — Windows Graphics Component — Elevation of privilege (CVSS 7.0); race condition.
With no actively exploited vulnerabilities, no critical ratings, and no publicly disclosed issues, this is the quietest Windows month of the year so far. Add these updates to your standard deployment schedule. (Kind of amazing, eh?)
Microsoft Office
Microsoft Office got 12 security fixes, including three of them critical. None are actively exploited or publicly disclosed, and none are flagged as “Exploitation More Likely” — but the attack surface warrants attention.
CVE-2026-26113, CVE-2026-26110 — Microsoft Office — Remote code execution (CVSS 8.4, critical). Both confirm the Preview Pane as an attack vector — simply previewing a malicious file in Outlook or File Explorer is sufficient to trigger execution without further user interaction.
CVE-2026-26144 — Microsoft Excel — Information disclosure (CVSS 7.5, critical). This is a novel vulnerability: a network-accessible, zero-click data exfiltration path through Copilot Agent mode. No user interaction is required. It is unusual to see an information disclosure rated critical, reflecting the sensitivity of the data exposed.
The two Preview Pane RCEs (CVE-2026-26113, CVE-2026-26110) make this a “Patch Now” release for Office. Organizations that cannot deploy immediately should consider temporarily disabling the Preview Pane in Outlook and File Explorer.
Microsoft SQL Server and Exchange
SQL Server has three elevation-of-privilege vulnerabilities, all CVSS 8.8, all enabling authenticated users to escalate to sysadmin over the network:
CVE-2026-21262 — Improper access control. Publicly disclosed (zero-day). Affects SQL Server 2016 SP3 through 2025.
CVE-2026-26115 — Improper input validation. Affects SQL Server 2016 SP3 through 2025.
CVE-2026-26116 — SQL injection. Affects SQL Server 2025 only.
CVE-2026-21262 is one of this month’s two zero-days. While rated “Exploitation Less Likely,” the public disclosure and broad version coverage (every supported edition) warrant priority patching for SQL Server environments. Exchange Server has not received any security updates this month. Add these SQL Server updates to your Patch Now schedule.
Developer tools
For March, Microsoft addresses four vulnerabilities across .NET, ASP.NET Core, and Microsoft Semantic Kernel, all rated Important, covering the following:
CVE-2026-26127 — .NET — Denial of service (CVSS 7.5). Publicly disclosed (zero-day). An unauthenticated out-of-bounds read affecting .NET 9.0 and 10.0 across Windows, macOS, and Linux.
CVE-2026-26130 — ASP.NET Core — Denial of service (CVSS 7.5). Unauthenticated resource exhaustion across ASP.NET Core 8.0, 9.0, and 10.0.
CVE-2026-26030 — Semantic Kernel Python SDK — Remote code execution (CVSS 9.9). Filter bypass in InMemoryVectorStore; exploitation requires untrusted input to the filter path. Rated “Exploitation Unlikely.”
CVE-2026-26131 — .NET 10.0 — Elevation of privilege (CVSS 7.8). Incorrect default permissions on Windows.
The two unauthenticated DoS vulnerabilities are the priority for internet-facing .NET and ASP.NET Core services. CVE-2026-26127 is the second of this month’s two zero-days. Add these updates to your “Patch Now” deployment schedule.
Adobe (and third-party updates)
Adobe (but not Microsoft) has released a single update (APSB26-26) that affects Adobe Reader and Acrobat. Since you made it this far, one item worth flagging for its novelty: CVE-2026-21536 (CVSS 9.8), a critical unauthenticated remote code execution vulnerability in the Microsoft Devices Pricing Program, was discovered by XBOW, an autonomous AI-powered penetration testing agent. This marks one of the first critical-severity CVEs in a Microsoft product publicly attributed to an AI security researcher.
About Author
