Microsoft Patch Tuesday March 2026 – 78 Vulnerabilities Fixed, Including One Zero-day

Microsoft released its March 2026 Patch Tuesday security update on March 10, 2026, addressing 78 vulnerabilities across Windows, Microsoft Office, Azure, SQL Server, and .NET.

The update includes one actively exploited zero-day vulnerability and multiple Critical-rated flaws demanding immediate attention from security teams.

The most urgent fix this month is CVE-2026-21262, the sole zero-day in this release. Organizations are strongly advised to prioritize patching this vulnerability without delay.

While Microsoft has not publicly attributed active exploitation to a specific threat actor, the presence of a zero-day underscores the need for rapid patch deployment across all affected environments.

Additionally, CVE-2026-26127, a .NET Denial of Service vulnerability, has been marked as publicly disclosed, meaning exploit details were available before the patch was released. This classification raises the risk of opportunistic exploitation even without confirmed in-the-wild attacks.

Critical Vulnerabilities Patched

Three vulnerabilities received Microsoft’s highest Critical severity rating:

• CVE-2026-26144 – Microsoft Excel Information Disclosure Vulnerability affecting Microsoft Office Excel. Despite being classified as an information disclosure flaw, its Critical rating indicates that successful exploitation could expose highly sensitive data.
• CVE-2026-26113 – Microsoft Office Remote Code Execution Vulnerability. An attacker who successfully exploits this flaw could execute arbitrary code in the context of the current user, making it a high-priority fix for enterprise environments.
• CVE-2026-26110 – A second Microsoft Office Remote Code Execution Vulnerability. Like CVE-2026-26113, this flaw targets Office and represents a significant code execution risk, particularly in environments where users regularly open externally sourced documents.

Consistent with prior months, Elevation of Privilege (EoP) flaws make up the largest category in this update. Notable EoP vulnerabilities include CVE-2026-26132 in the Windows Kernel, CVE-2026-26128 in Windows SMB Server, CVE-2026-25187 in Winlogon, CVE-2026-25189 in the Windows DWM Core Library, and CVE-2026-26148 affecting the Microsoft Azure AD SSH Login extension for Linux.

Cloud-focused fixes also include CVE-2026-26141 in the Hybrid Worker Extension for Arc-enabled Windows VMs, CVE-2026-26117 in the Azure Connected Machine Agent, and CVE-2026-26118 in Azure MCP Server Tools.

Several RCE vulnerabilities target critical infrastructure components. CVE-2026-26114 and CVE-2026-26106 both affect Microsoft SharePoint Server, which is commonly exposed to internal networks and represents a high-value target.

CVE-2026-26111 targets the Windows Routing and Remote Access Service (RRAS), and CVE-2026-25190 addresses a GDI Remote Code Execution Vulnerability in Windows GDI. Four separate Excel RCE flaws (CVE-2026-26112, CVE-2026-26109, CVE-2026-26108, CVE-2026-26107) were also patched this month.

This month’s release also covers CVE-2026-26130 (ASP.NET Core Denial of Service), CVE-2026-26131 (.NET Elevation of Privilege), CVE-2026-26123 (Microsoft Authenticator Information Disclosure), CVE-2026-26121 (Azure IoT Explorer Spoofing), CVE-2026-26105 (SharePoint Spoofing), CVE-2026-25188 (Windows Telephony Service EoP), CVE-2026-25186 (Windows Accessibility Infrastructure Information Disclosure), and CVE-2026-26116 and CVE-2026-26115 (SQL Server Elevation of Privilege).

Security teams should apply all March 2026 patches as soon as possible, with immediate priority on CVE-2026-21262, the three Critical Office and Excel flaws, the Windows Kernel and SMB Server EoP vulnerabilities, and the SharePoint RCE bugs. All affected product lines require customer action as confirmed by Microsoft.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.