Microsoft has rolled out its March 2026 Patch Tuesday updates, delivering a fresh batch of security fixes designed to keep Windows environments protected from emerging threats. The release addresses multiple vulnerabilities spanning Windows components and other Microsoft products. Here’s a quick breakdown of what you need to know.
This month’s release addresses 93 vulnerabilities, including eight critical and 75 important severity vulnerabilities.
In this month’s updates, Microsoft has addressed two publicly disclosed zero-day vulnerabilities.
Microsoft addressed nine vulnerabilities in Microsoft Edge (Chromium-based) that were patched earlier this month.
Microsoft Patch Tuesday, March edition, includes updates for vulnerabilities in Microsoft Graphics Component, Windows Kerberos, Windows Kernel, Windows Hyper-V, SQL Server, Windows File Server, Windows App Installer, and more.
This month’s release includes fixes for several high-severity issues that could potentially enable remote code execution, privilege escalation, or denial-of-service attacks. As always, timely patch deployment is crucial to reduce exposure and ensure systems remain resilient against exploitation attempts.
The March 2026 Microsoft vulnerabilities are classified as follows:
| Vulnerability Category | Quantity | Severities |
| Spoofing Vulnerability | 4 | Important: 4 |
| Denial of Service Vulnerability | 4 | Important: 4 |
| Elevation of Privilege Vulnerability | 46 | Critical: 3 Important: 43 |
| Information Disclosure Vulnerability | 11 | Critical: 2 Important: 9 |
| Remote Code Execution Vulnerability | 18 | Critical: 3 Important: 15 |
| Security Feature Bypass Vulnerability | 2 | Important: 2 |
Zero-day Vulnerabilities Patched in March Patch Tuesday Edition
CVE-2026-21262: SQL Server Elevation of Privilege Vulnerability
SQL Server is Microsoft’s relational database management system (RDBMS) for storing, managing, and retrieving data in enterprise environments.
An improper access control flaw in SQL Server may allow an authenticated attacker to elevate their privileges across the network. Upon successful exploitation of the vulnerability, an attacker could gain SQL sysadmin privileges.
CVE-2026-26127: .NET Denial of Service Vulnerability
A .NET out-of-bounds read flaw could allow an unauthenticated attacker to launch a denial-of-service attack.
Critical Severity Vulnerabilities Patched in March Patch Tuesday Edition
CVE-2026-26113: Microsoft Office Remote Code Execution Vulnerability
An untrusted pointer dereference flaw in Microsoft Office could allow an unauthenticated attacker to achieve remote code execution.
CVE-2026-26110: Microsoft Office Remote Code Execution Vulnerability
A type confusion flaw in Microsoft Office could allow an unauthenticated attacker to achieve remote code execution.
CVE-2026-26144: Microsoft Excel Information Disclosure Vulnerability
An attacker who successfully exploited this vulnerability could potentially read portions of heap memory.
CVE-2026-26122: Microsoft ACI Confidential Containers Information Disclosure Vulnerability
Microsoft ACI (Azure Container Instances) Confidential Containers enable serverless deployment of containerized applications within a hardware-based Trusted Execution Environment (TEE) using AMD SEV-SNP technology. They protect data in use by encrypting memory and ensuring code integrity, preventing unauthorized access from cloud operators, privileged users, or malicious actors.
Initialization of a resource with an insecure default in Azure Compute Gallery could allow an authenticated attacker to disclose information over a network.
CVE-2026-26125: Payment Orchestrator Service Elevation of Privilege Vulnerability
A Payment Orchestrator Service is a software layer that centralizes and manages a business’s entire payment ecosystem—gateways, processors, and acquirers—via a single integration.
Microsoft has not provided any information about the vulnerability. The advisory states that the vulnerability has been fully mitigated.
CVE-2026-26124: Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability
Microsoft has not provided any information about the vulnerability. The advisory states that the vulnerability has been fully mitigated in the Azure Confidential ACI service. No service update, patch, reboot, or upgrade is required.
CVE-2026-21536: Microsoft Devices Pricing Program Remote Code Execution Vulnerability
The Microsoft Devices Pricing Program generally refers to specialized purchasing, education discounts, and licensing models for Microsoft hardware (like Surface) and software, designed to reduce costs for businesses, education, and individual users. These programs offer volume pricing, device-based licensing for Microsoft 365, and special discounts for students/teachers.
Microsoft has not provided any information about the vulnerability. The advisory states that Microsoft has fully mitigated the vulnerability. No action is required of users of this service.
CVE-2026-23651: Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability
A permissive regular expression flaw in Azure Compute Gallery could allow an authenticated attacker to elevate local privileges.
Other Microsoft Vulnerability Highlights
- CVE-2026-23668 is an elevation-of-privilege vulnerability in the Windows Graphics Component. Upon successful exploitation of the vulnerability, an attacker could gain administrator privileges.
- CVE-2026-24289 and CVE-2026-26132 are elevation-of-privilege vulnerabilities in the Windows Kernel. A use-after-free flaw may allow an authenticated attacker to gain SYSTEM privileges.
- CVE-2026-24291 is an elevation-of-privilege vulnerability in the Windows Accessibility Infrastructure. Upon successful exploitation of the vulnerability, an authenticated attacker could gain SYSTEM privileges.
- CVE-2026-24294 is an elevation-of-privilege vulnerability in Windows SMB Server. Successful exploitation of this vulnerability may allow an authenticated attacker to gain SYSTEM privileges.
- CVE-2026-25187 is an elevation-of-privilege vulnerability in Winlogon. Upon successful exploitation of the vulnerability, an authenticated attacker could gain SYSTEM privileges.
Microsoft Release Summary
This month’s release notes cover multiple Microsoft product families and products/versions affected, including, but not limited to, System Center Operations Manager, Microsoft Devices Pricing Program, Azure Compute Gallery, GitHub Repo: zero-shot-scfoundation, Azure Portal Windows Admin Center, Azure IoT Explorer, Azure Linux Virtual Machines, Broadcast DVR, Windows Print Spooler Components, Windows Bluetooth RFCOM Protocol Driver, Windows Universal Disk Format File System Driver (UDFS), Windows Resilient File System (ReFS), Windows MapUrlToZone, Push Message Routing Service, Windows Win32K, Windows Mobile Broadband, Windows Projected File System, Windows Accessibility Infrastructure (ATBroker.exe), Connected Devices Platform Service (Cdpsvc), Windows Ancillary Function Driver for WinSock, Windows SMB Server, Windows Device Association Service, Windows Performance Counters, Windows System Image Manager, Microsoft Brokering File System, Windows Authentication Methods, Windows Routing and Remote Access Service (RRAS), Windows Extensible File Allocation, Windows NTFS, Active Directory Domain Services, Windows GDI+, Windows Shell Link Processing, Winlogon, Windows Telephony Service, Windows DWM Core Library, Windows GDI, Microsoft Office SharePoint, Microsoft Office Excel, Microsoft Office, Azure Windows Virtual Machine Agent, Azure MCP Server, Microsoft Authenticator, Payment Orchestrator Service, .NET, ASP.NET Core, Azure Arc, Azure Entra ID, Microsoft Semantic Kernel Python SDK, and Microsoft Edge (Chromium-based).
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Qualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledgebase (KB).
You can see all your impacted hosts by these vulnerabilities using the following QQL query:
vulnerabilities.vulnerability: ( qid: 110520 or qid: 110521 or qid: 386757 or qid: 386758 or qid: 386764 or qid: 386765 or qid: 92364 or qid: 92365 or qid: 92366 or qid: 92367 )
Rapid Response with TruRisk™ Eliminate
Patch to the Latest Version
VMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the “Missing” patches to identify and deploy the applicable, available patches with one click.
The following QQL will return the missing patches for this Patch Tuesday:
( qid: 110520 or qid: 110521 or qid: 386757 or qid: 386758 or qid: 386764 or qid: 386765 or qid: 92364 or qid: 92365 or qid: 92366 or qid: 92367 )
Visit the March 2026 Security Updates to access the full description of each vulnerability and the systems it affects.
Qualys customers can scan their networks with QIDs 110520, 110521, 386757, 386758, 386764, 386765, 92364, 92365, 92366, and 92367 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References:
https://msrc.microsoft.com/update-guide
https://msrc.microsoft.com/update-guide/releaseNote/2026-Mar
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21262
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26127
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26113
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26110
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26144
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26122
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26125
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26124
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21536
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23651
