Microsoft releases March 2026 Patch Tuesday fixing critical vulnerabilities

Microsoft’s March Patch Tuesday addressed a broad spectrum of flaws across its Windows stack, but the most consequential fixes target privilege‑escalation pathways that could let low‑level accounts seize system‑wide control. According to KrebsonSecurity, 55 percent of the 77 CVEs released this month are elevation‑of‑privilege bugs, and half a dozen of those are flagged as “exploitation more likely” by Tenable’s Satnam Narang. These high‑risk entries span the Windows Graphics Component, Accessibility Infrastructure, Kernel, SMB Server and Winlogon processes, each carrying a CVSS v3 base score of 7.8. For example, CVE‑2026‑24291 grants SYSTEM‑level rights through mis‑configured permissions in the Accessibility Infrastructure, while CVE‑2026‑24294 exploits improper authentication in the core SMB component, a vector historically favored by ransomware operators. CVE‑2026‑24289 is a memory‑corruption and race‑condition flaw that can be weaponized to execute arbitrary code, and CVE‑2026‑25187—discovered by Google Project Zero—targets the Winlogon process, potentially allowing attackers to hijack the login sequence. Collectively, these bugs underscore a persistent tension in Windows: the need to maintain backward compatibility while hardening deeply entrenched system services.

Two of the disclosed vulnerabilities had already been public before Microsoft’s March release. CVE‑2026‑21262, a privilege‑escalation issue in SQL Server 2016 and later, lets an authorized attacker elevate to sysadmin over a network. Rapid7’s Adam Barnett noted the CVSS 3 score of 8.8 places it just below the “critical” threshold, but warned that “it would be a courageous defender who shrugged and deferred the patches for this one.” The second pre‑public flaw, CVE‑2026‑26127, resides in .NET applications and primarily triggers a denial‑of‑service crash; Barnett added that while the immediate impact is limited, the instability could open doors for secondary attacks during service restarts.

Microsoft’s Office suite remains a fertile ground for remote‑code execution (RCE) exploits, and March’s update includes two such bugs that can be triggered simply by viewing a malicious message in the Preview Pane. CVE‑2026‑26113 and CVE‑2026‑26110 both allow attackers to execute arbitrary code without user interaction, a classic “drive‑by” scenario that has plagued enterprise environments for years. These Office‑related RCEs are especially concerning for organizations that rely on Outlook’s preview functionality for high‑volume email processing, as a single crafted message can compromise the entire client machine. Security analysts have long advised disabling the Preview Pane or applying stricter attachment filtering as interim mitigations until patches are deployed.

A notable first‑of‑its‑kind entry in the March bulletin is CVE‑2026‑21536, a critical RCE bug in the Microsoft Devices Pricing Program. Ben McCarthy, lead cyber‑security engineer at Immersive, highlighted that the vulnerability was identified by XBOW, an autonomous AI penetration‑testing agent that has repeatedly topped the HackerOne bug‑bounty leaderboard. McCarthy emphasized that “although Microsoft has already patched and mitigated the vulnerability, it highlights a shift toward AI‑driven discovery of complex vulnerabilities at increasing speed.” The CVSS rating of 9.8 places CVE‑2026‑21536 among the most severe flaws in the release, and its discovery without direct source‑code access illustrates how AI tools can extrapolate attack surfaces from binary analysis and public documentation. Microsoft’s rapid response—patching the issue on its end with no required action from end‑users—demonstrates a growing operational model where vendors may pre‑emptively remediate AI‑found bugs before they surface in the wild.

Beyond the core Windows updates, Microsoft also shipped fixes for nine browser‑related vulnerabilities, though these are excluded from the official Patch Tuesday count. While the details of those browser patches were not enumerated in the KrebsonSecurity report, the inclusion signals Microsoft’s continued effort to shore up Edge and Internet Explorer against supply‑chain and memory‑corruption exploits that have plagued modern browsers. Administrators are urged to apply the cumulative updates promptly, prioritize the high‑severity privilege‑escalation CVEs, and consider hardening measures such as disabling SMBv1, enforcing least‑privilege policies for service accounts, and tightening Outlook’s preview settings until the Office patches are fully deployed.