Microsoft Patch Tuesday March 2026
11 Mar 2026
The March edition of the Patch Tuesday update addresses 79+ flaws, out of which 3 are critical, and 2 are zero-day vulnerabilities.
The following vulnerabilities were addressed through the update that threat actors exploited to orchestrate attacks:
|
Number |
Type of |
|
46 |
Privilege elevation |
|
2 |
Security feature |
|
18 |
Remote code |
|
10 |
Information |
|
4 |
Denial of service |
|
4 |
Spoofing |
2 zero day vulnerabilities addressed
CVE-2026-21262 – SQL Server Elevation of Privilege Vulnerability – CVSS-8.8
This vulnerability was a publicly disclosed zero-day flaw that granted SQLadmin-level privileges to attackers in 2016 and later editions of SQL Server 2016. Attackers could exploit the flaw to:
- Gain unauthorized access to the system – attackers can use the vulnerability to gain unauthorized access to the system by escalating privileges.
- Manipulate data – attackers can use the privileged access to databases to modify or delete sensitive data.
- Gain system control – by exploiting the vulnerability, attackers can gain control over SQL Server and execute arbitrary commands to orchestrate their attack.
- Disrupt services – a full-blown denial of service attack could be carried out, highly impacting the availability of applications that rely on SQL Server.
CVE-2026-26127 – .NET Denial of Service Vulnerability – CVSS 7.5
The addressed vulnerability is another publicly disclosed zero-day flaw that attackers are exploiting to disrupt services over the network.
Attackers could leverage the flaw to:
- Disrupt services – attackers can make applications unresponsive, which could cause significant downtime of critical services and have a high impact on operations.
- Gain unauthorized access – this flaw can also be exploited alongside other flaws to gain unauthorized access.
- Cause total service outage, by exploiting the flaw, attackers can cause total outage of services that could impact an organization’s reputation through loss of customer trust.
- Drain resources – attackers can use the flaw to cause excessive consumption of system resources, leading to high operational costs and high investment towards resources to mitigate the impact.
Other flaws addressed
Microsoft has also addressed flaws (CVE-2026-26110 and CVE-2026-26113) in Microsoft Office that allowed attackers to remotely execute malicious codes via the preview pane. One information disclosure flaw (CVE-2026-26144) in Microsoft Excel, which was exploited by attackers to exfiltrate data and carry out a zero-click attack via Copilot, was also addressed via this update.
Secure Boot Certificates expire in June 2026
Protections for Secure Boot and Boot Manager will be disabled, and vulnerability fixes for BitLocker bypass will not be applied if the certificates nearing expiry are not replaced with the updated certificates.
While no action will be required by most users as Microsoft has delivered updated certificates via its update channels, some may need an OEM firmware update.
All the vulnerabilities addressed
The following is a complete list of vulnerabilities addressed in the March 2026 Patch Tuesday update:
|
Component |
CVE ID |
CVE Title |
Severity |
|
.NET |
.NET Elevation of Privilege Vulnerability |
Important |
|
|
.NET |
.NET Denial of Service Vulnerability |
Important |
|
|
Active Directory Domain Services |
Active Directory Domain Services Elevation of Privilege Vulnerability |
Important |
|
|
ASP.NET Core |
ASP.NET Core Denial of Service Vulnerability |
Important |
|
|
Azure Arc |
Hybrid Worker Extension (Arc-enabled Windows VMs) Elevation of Privilege Vulnerability |
Important |
|
|
Azure Compute Gallery |
Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability |
Critical |
|
|
Azure Compute Gallery |
Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability |
Critical |
|
|
Azure Compute Gallery |
Microsoft ACI Confidential Containers Information Disclosure Vulnerability |
Critical |
|
|
Azure Entra ID |
Microsoft Azure AD SSH Login extension for Linux Elevation of Privilege Vulnerability |
Important |
|
|
Azure IoT Explorer |
Azure IOT Explorer Spoofing Vulnerability |
Important |
|
|
Azure IoT Explorer |
Azure IoT Explorer Information Disclosure Vulnerability |
Important |
|
|
Azure IoT Explorer |
Azure IoT Explorer Information Disclosure Vulnerability |
Important |
|
|
Azure IoT Explorer |
Azure IoT Explorer Information Disclosure Vulnerability |
Important |
|
|
Azure Linux Virtual Machines |
Linux Azure Diagnostic extension (LAD) Elevation of Privilege Vulnerability |
Important |
|
|
Azure MCP Server |
Azure MCP Server Tools Elevation of Privilege Vulnerability |
Important |
|
|
Azure Portal Windows Admin Center |
Windows Admin Center in Azure Portal Elevation of Privilege Vulnerability |
Important |
|
|
Azure Windows Virtual Machine Agent |
Arc Enabled Servers – Azure Connected Machine Agent Elevation of Privilege Vulnerability |
Important |
|
|
Broadcast DVR |
Broadcast DVR Elevation of Privilege Vulnerability |
Important |
|
|
Connected Devices Platform Service (Cdpsvc) |
Windows Connected Devices Platform Service Elevation of Privilege Vulnerability |
Important |
|
|
GitHub Repo: zero-shot-scfoundation |
GitHub: Zero Shot SCFoundation Remote Code Execution Vulnerability |
Important |
|
|
Microsoft Authenticator |
Microsoft Authenticator Information Disclosure Vulnerability |
Important |
|
|
Microsoft Brokering File System |
Microsoft Brokering File System Elevation of Privilege Vulnerability |
Important |
|
|
Microsoft Devices Pricing Program |
Microsoft Devices Pricing Program Remote Code Execution Vulnerability |
Critical |
|
|
Microsoft Edge (Chromium-based) |
Chromium: CVE-2026-3544 Heap buffer overflow in WebCodecs |
Unknown |
|
|
Microsoft Edge (Chromium-based) |
Chromium: CVE-2026-3540 Inappropriate implementation in WebAudio |
Unknown |
|
|
Microsoft Edge (Chromium-based) |
Chromium: CVE-2026-3536 Integer overflow in ANGLE |
Unknown |
|
|
Microsoft Edge (Chromium-based) |
Chromium: CVE-2026-3538 Integer overflow in Skia |
Unknown |
|
|
Microsoft Edge (Chromium-based) |
Chromium: CVE-2026-3545 Insufficient data validation in Navigation |
Unknown |
|
|
Microsoft Edge (Chromium-based) |
Chromium: CVE-2026-3541 Inappropriate implementation in CSS |
Unknown |
|
|
Microsoft Edge (Chromium-based) |
Chromium: CVE-2026-3543 Inappropriate implementation in V8 |
Unknown |
|
|
Microsoft Edge (Chromium-based) |
Chromium: CVE-2026-3539 Object lifecycle issue in DevTools |
Unknown |
|
|
Microsoft Edge (Chromium-based) |
Chromium: CVE-2026-3542 Inappropriate implementation in WebAssembly |
Unknown |
|
|
Microsoft Graphics Component |
Windows Graphics Component Denial of Service Vulnerability |
Important |
|
|
Microsoft Graphics Component |
Windows Graphics Component Information Disclosure Vulnerability |
Important |
|
|
Microsoft Graphics Component |
Windows Graphics Component Denial of Service Vulnerability |
Important |
|
|
Microsoft Graphics Component |
Windows Graphics Component Elevation of Privilege Vulnerability |
Important |
|
|
Microsoft Office |
Microsoft Office Remote Code Execution Vulnerability |
Critical |
|
|
Microsoft Office |
Microsoft Office Remote Code Execution Vulnerability |
Critical |
|
|
Microsoft Office |
Microsoft Office Elevation of Privilege Vulnerability |
Important |
|
|
Microsoft Office Excel |
Microsoft Excel Information Disclosure Vulnerability |
Critical |
|
|
Microsoft Office Excel |
Microsoft Excel Remote Code Execution Vulnerability |
Important |
|
|
Microsoft Office Excel |
Microsoft Excel Remote Code Execution Vulnerability |
Important |
|
|
Microsoft Office Excel |
Microsoft Excel Remote Code Execution Vulnerability |
Important |
|
|
Microsoft Office Excel |
Microsoft Excel Remote Code Execution Vulnerability |
Important |
|
|
Microsoft Office SharePoint |
Microsoft SharePoint Server Spoofing Vulnerability |
Important |
|
|
Microsoft Office SharePoint |
Microsoft SharePoint Server Remote Code Execution Vulnerability |
Important |
|
|
Microsoft Office SharePoint |
Microsoft SharePoint Server Remote Code Execution Vulnerability |
Important |
|
|
Microsoft Semantic Kernel Python SDK |
GitHub: CVE-2026-26030 Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerable |
Important |
|
|
Payment Orchestrator Service |
Payment Orchestrator Service Elevation of Privilege Vulnerability |
Critical |
|
|
Push Message Routing Service |
Push message Routing Service Elevation of Privilege Vulnerability |
Important |
|
|
Role: Windows Hyper-V |
Windows Hyper-V Elevation of Privilege Vulnerability |
Important |
|
|
SQL Server |
SQL Server Elevation of Privilege Vulnerability |
Important |
|
|
SQL Server |
SQL Server Elevation of Privilege Vulnerability |
Important |
|
|
SQL Server |
SQL Server Elevation of Privilege Vulnerability |
Important |
|
|
System Center Operations Manager |
System Center Operations Manager (SCOM) Elevation of Privilege Vulnerability |
Important |
|
|
Windows Accessibility Infrastructure (ATBroker.exe) |
Windows Accessibility Infrastructure (ATBroker.exe) Information Disclosure Vulnerability |
Important |
|
|
Windows Accessibility Infrastructure (ATBroker.exe) |
Windows Accessibility Infrastructure (ATBroker.exe) Elevation of Privilege Vulnerability |
Important |
|
|
Windows Ancillary Function Driver for WinSock |
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
Important |
|
|
Windows Ancillary Function Driver for WinSock |
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
Important |
|
|
Windows Ancillary Function Driver for WinSock |
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
Important |
|
|
Windows Ancillary Function Driver for WinSock |
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
Important |
|
|
Windows App Installer |
Windows App Installer Spoofing Vulnerability |
Important |
|
|
Windows Authentication Methods |
Windows Authentication Elevation of Privilege Vulnerability |
Important |
|
|
Windows Bluetooth RFCOM Protocol Driver |
Windows Bluetooth RFCOM Protocol Driver Elevation of Privilege Vulnerability |
Important |
|
|
Windows Device Association Service |
Windows Device Association Service Elevation of Privilege Vulnerability |
Important |
|
|
Windows Device Association Service |
Windows Device Association Service Elevation of Privilege Vulnerability |
Important |
|
|
Windows DWM Core Library |
Windows DWM Core Library Elevation of Privilege Vulnerability |
Important |
|
|
Windows Extensible File Allocation |
Windows Extensible File Allocation Table Elevation of Privilege Vulnerability |
Important |
|
|
Windows File Server |
Multiple UNC Provider Kernel Driver Elevation of Privilege Vulnerability |
Important |
|
|
Windows GDI |
GDI Remote Code Execution Vulnerability |
Important |
|
|
Windows GDI+ |
GDI+ Information Disclosure Vulnerability |
Important |
|
|
Windows Kerberos |
Windows Kerberos Security Feature Bypass Vulnerability |
Important |
|
|
Windows Kernel |
Windows Kernel Elevation of Privilege Vulnerability |
Important |
|
|
Windows Kernel |
Windows Kernel Elevation of Privilege Vulnerability |
Important |
|
|
Windows Kernel |
Windows Kernel Elevation of Privilege Vulnerability |
Important |
|
|
Windows MapUrlToZone |
MapUrlToZone Security Feature Bypass Vulnerability |
Important |
|
|
Windows Mobile Broadband |
Windows Mobile Broadband Driver Remote Code Execution Vulnerability |
Important |
|
|
Windows NTFS |
Windows NTFS Elevation of Privilege Vulnerability |
Important |
|
|
Windows Performance Counters |
Performance Counters for Windows Elevation of Privilege Vulnerability |
Important |
|
|
Windows Print Spooler Components |
Windows Print Spooler Remote Code Execution Vulnerability |
Important |
|
|
Windows Projected File System |
Windows Projected File System Elevation of Privilege Vulnerability |
Important |
|
|
Windows Resilient File System (ReFS) |
Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability |
Important |
|
|
Windows Routing and Remote Access Service (RRAS) |
Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
Important |
|
|
Windows Routing and Remote Access Service (RRAS) |
Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
Important |
|
|
Windows Routing and Remote Access Service (RRAS) |
Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
Important |
|
|
Windows Shell Link Processing |
Windows Shell Link Processing Spoofing Vulnerability |
Important |
|
|
Windows SMB Server |
Windows SMB Server Elevation of Privilege Vulnerability |
Important |
|
|
Windows SMB Server |
Windows SMB Server Elevation of Privilege Vulnerability |
Important |
|
|
Windows System Image Manager |
Windows System Image Manager Assessment and Deployment Kit (ADK) Remote Code Execution Vulnerability |
Important |
|
|
Windows Telephony Service |
Windows Telephony Service Elevation of Privilege Vulnerability |
Important |
|
|
Windows Universal Disk Format File System Driver (UDFS) |
Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability |
Important |
|
|
Windows Win32K |
Win32k Elevation of Privilege Vulnerability |
Important |
|
|
Winlogon |
Winlogon Elevation of Privilege Vulnerability |
Important |
SharkStriker’s recommendations
The following are some of the security recommendations:
- Immediately apply the March Patch Tuesday update to all the applicable Microsoft products.
- Prioritize patching the zero-day flaws in SQL Server and .NET, the critical RCE flaws in Microsoft Office, Excel, EoP flaws in Windows Kernel, and RCE flaws in SharePoint.
- Enable Multi-Factor Authentication (MFA) for administrative accounts and cloud services.
- Until the patches are applied for the flaws CVE-2026-26110 & CVE-2026-26113, disable the preview pane feature in Office.
- Verify whether all the near-expiry Secure Boot Certificates are updated for all the devices.
- Restrict network exposure for critical services such as SQL Server and Windows remote services.
- Monitor for indicators of exploitation including privilege escalation attempts, abnormal Office activity, and suspicious authentication logs.