Microsoft March 2026 Patch Tuesday: 83 Fixes, Zero Active Exploits

Elevation of privilege vulnerabilities made up the largest share of this month's fixes at 55.4%, followed by remote code execution at 20.5%. The remaining patches covered denial of service, information disclosure, and spoofing flaws across Windows components, Azure services, Office applications, and server products.

Tenable's analysis breaks the 83 CVEs into 8 critical and 75 important. BleepingComputer's count of 79 excludes 9 Edge flaws and some Azure and Devices Pricing Program patches fixed earlier in March. Regardless of how you count them, this is a moderate-sized update that still carries real risk if left unpatched.

• 46 Elevation of Privilege - attackers gaining higher system access than authorized
• 17 Remote Code Execution - attackers running arbitrary code on target systems
• 6 Denial of Service - crashing services or making systems unavailable
• 6 Information Disclosure - leaking sensitive data including one Copilot-related flaw
• 5 Spoofing - attackers disguising their identity or actions

February 2026 was rough, with 6 actively exploited zero-days in the MSHTML Framework, Microsoft Word, Desktop Window Manager, Windows Shell, Remote Desktop, and Remote Access Connection Manager. That context makes March's clean sheet a welcome break, but it shouldn't slow down your patching cadence.

CVE-2026-21262 - SQL Server Elevation of Privilege

This is the higher-profile of the two zero-days. An improper access control flaw in Microsoft SQL Server allows an authenticated attacker to escalate privileges over the network, potentially gaining full SQL sysadmin rights. That means complete administrative control over the database environment - reading, modifying, or deleting anything stored there.

• CVSS Score: 8.8 - rated Important by Microsoft
• Attack Vector: Network-based, low complexity, no user interaction required
• Impact: Full SQL sysadmin privileges on affected servers
• Discovery: Credited to researcher Erland Sommarskog

For Houston-area CPA firms, law firms, and wealth management companies running SQL Server for client data, this one deserves attention. An attacker who already has basic database access - even through a compromised user account - could escalate to full administrative control.

CVE-2026-26127 - .NET Denial of Service

The second zero-day is a .NET denial of service flaw caused by an out-of-bounds read. An unauthenticated attacker could remotely crash services built on affected .NET versions.

• CVSS Score: 7.5 - rated Important
• Affected versions: .NET 9.0 and 10.0 on Windows, macOS, and Linux
• Impact: Service disruption for applications running on vulnerable .NET versions
• Microsoft assessment: Exploitation unlikely despite public disclosure

Tenable's Satnam Narang put it well: these two zero-days are "more bark than bite." Still, public disclosure means technical details are available for anyone motivated to write an exploit, and the SQL Server flaw especially could be chained with other access methods in a targeted attack.

Microsoft Office Remote Code Execution (CVE-2026-26110 and CVE-2026-26113)

These two flaws both scored CVSS 8.4 and carry Critical ratings. A local, unauthenticated attacker could trigger code execution through a malicious Office document. The kicker: the Preview Pane in Outlook and File Explorer is a valid attack vector. You don't even have to open the file fully - just previewing it could be enough.

Mike Walters from Action1 framed the risk clearly: documents get shared constantly via email, file shares, and collaboration platforms. A single malicious document could give an attacker a foothold inside a network, then lead to ransomware deployment, data theft, or lateral movement to other systems. Businesses that deal heavily in document exchange - construction companies sharing project specs, engineering firms circulating CAD exports, legal teams moving contracts - face the highest exposure.

Additional Critical Flaws

• CVE-2026-21536 (CVSS 9.8) - Devices Pricing Program RCE. The highest-scored vulnerability this month, though Microsoft says it's already been fully mitigated server-side. No user action required.
• CVE-2026-26144 - Excel Information Disclosure via Copilot Agent mode (covered in detail below)
• Four Excel RCE flaws (CVE-2026-26112, CVE-2026-26109, CVE-2026-26108, CVE-2026-26107) - targeted code execution through malicious spreadsheets
• CVE-2026-26111 - Windows Routing and Remote Access Service (RRAS) RCE
• CVE-2026-25190 - Windows GDI Remote Code Execution

Microsoft flagged six vulnerabilities as having a higher likelihood of being exploited. All of them are elevation of privilege bugs - the kind of flaw an attacker uses after they've already gotten a foothold in your network, to escalate from a regular user account to full system or administrator access.

In my 30+ years working in IT, this pattern is consistent: attackers get in through phishing or a web vulnerability, then immediately look for privilege escalation paths. These six vulnerabilities are exactly the tools they'd reach for.

• CVE-2026-23668 - Windows Graphics Component. A race condition that could grant administrator privileges. Discovered by Marcin Wiazowski working with Trend Micro's Zero Day Initiative.
• CVE-2026-24289 - Windows Kernel. Use-after-free flaw allowing SYSTEM-level access. Reported by Google Project Zero's James Forshaw.
• CVE-2026-26132 - Windows Kernel. Another use-after-free granting administrator privileges.
• CVE-2026-24291 - Windows Accessibility Infrastructure. Escalation to SYSTEM privileges.
• CVE-2026-24294 - Windows component privilege escalation.
• CVE-2026-25187 - Winlogon. Improper link resolution that could also yield SYSTEM privileges. Also found by James Forshaw.

Six Windows Kernel elevation of privilege flaws have been patched so far in 2026 alone - a trend worth watching. These vulnerabilities carry CVSS scores around 7.8 and require local access, but they're the missing piece in almost every targeted attack chain.

This is the vulnerability worth paying attention to beyond the immediate patch cycle. CVE-2026-26144 is an information disclosure flaw in Microsoft Excel that Trend Micro's Dustin Childs called out as a preview of attack patterns that will probably become more common.

The attack works like this: an attacker exploits the Excel vulnerability to cause Copilot Agent mode to exfiltrate data through unintended network connections. It's a zero-click operation - the victim doesn't need to approve anything or even interact with the file. Copilot does the data theft automatically.

For businesses already using Microsoft 365 Copilot or planning to adopt it, this is a concrete example of AI-adjacent security risk. The tool designed to boost productivity becomes the exfiltration channel. We're going to see more of this as AI assistants get deeper access to business data.

Businesses across Katy, Sugar Land, and the greater Houston area that rely on Excel for financial data, client records, or operational reporting should prioritize this patch.

Outside the vulnerability fixes, there's a ticking clock on Secure Boot certificates that every IT team needs to track. The original certificates issued in 2011 begin expiring in late June 2026. If devices haven't received updated certificates by then, they'll lose security protections for the early boot process - making them vulnerable to bootkit malware like BlackLotus.

Microsoft started rolling out replacement certificates with February's Patch Tuesday and is continuing that staged deployment this month. The rollout is conditional: Microsoft only installs new certificates on systems that show sufficient update reliability signals. That means devices that haven't been consistently updated may not receive the new certificates automatically.

• What happens if certificates expire: Devices will continue to boot normally, but will no longer receive new security protections for Windows Boot Manager and Secure Boot components
• What to do: Keep Windows updated consistently through March, April, and May to ensure your devices are eligible for the certificate rollout
• Who's most at risk: Older devices, machines not regularly patched, and systems running Windows 10 without ESU enrollment

This is one of those issues where consistent managed IT support pays for itself. If your machines have been kept current, the transition happens automatically. If they haven't, you may be scrambling in June.

Beyond security patches, the March cumulative update for Windows 11 (KB5079473 for versions 24H2/25H2, KB5078883 for 23H2) includes several functional improvements. A few of these are genuinely useful for small business environments.

Built-in System Monitor (Sysmon)

Windows now includes native Sysmon functionality - a tool that security professionals have been installing separately for years to capture system events for threat detection. It's off by default, but once enabled, it writes events to Windows Event Log where security tools can pick them up. This is a meaningful addition for businesses running endpoint detection. Previously, deploying Sysmon across a fleet of machines required separate installation and configuration.

Quick Machine Recovery (QMR)

QMR now turns on automatically for Windows Professional devices that are not domain-joined or enterprise-managed. These devices get the same recovery features that Windows Home users already had. For domain-joined business machines, QMR stays off unless an admin enables it. This is particularly useful for businesses with a mix of managed and unmanaged devices - something we see often in Houston SMBs with remote workers.

Other Notable Additions

• Built-in network speed test accessible directly from the taskbar - useful for quick troubleshooting without installing third-party tools
• Windows Backup for Organizations - the first sign-in restore experience now works on Entra hybrid joined devices, Cloud PCs, and multi-user setups, making device migrations smoother
• Camera pan and tilt controls for supported cameras in Settings, under Bluetooth and Devices
• File Explorer fix for folder renaming with desktop.ini files where custom folder names weren't displaying correctly
• Shutdown/hibernation fix for Secure Launch-capable PCs with Virtual Secure Mode enabled - resolving the issue where affected devices would restart instead of shutting down