March Patch Tuesday visits 15 product families

Microsoft on Tuesday released 84 patches affecting 15 product families – including a few you’ve possibly never encountered. Eight of the addressed issues are considered by Microsoft to be of Critical severity, though none of those affect Windows, nor are they expected to be exploited within the next 30 days. In addition, five of those Critical issues were in fact addressed by Microsoft in advance of Patch Tuesday itself, as we’ll discuss below. Twenty-two have a CVSS base score of 8.0 or higher, including one with a 9.8 base score. None are known to be under active exploit in the wild, but two are publicly disclosed so far.

At patch time, six CVEs are judged more likely to be exploited in the next 30 days by the company’s estimation. Various of this month’s issues are amenable to direct detection by Sophos protections, and we include information on those in the usual table below.

We are as always including at the end of this post appendices listing all Microsoft’s patches sorted by severity (Appendix A), by predicted exploitability timeline and CVSS Base score (Appendix B), and by product family (Appendix C). Appendix D lists ten Edge CVEs addressed this month, as well as three Adobe CVEs and one Critical-severity issue affecting Windows Sematic Kernel and expressed via GitHub. Appendix E provides a breakout of the 45 CVEs affecting various versions of Windows Server.

By the numbers

• Total CVEs: 84
• Publicly disclosed: 2
• Exploit detected: 0
• Severity
  • Critical: 8
  • Important: 76
• Impact:
  • Denial of Service: 4
  • Elevation of Privilege: 46
  • Information Disclosure: 10
  • Remote Code Execution: 17
  • Security Feature Bypass: 3
  • Spoofing: 4
• CVSS base score 9.0 or greater: 1
• CVSS base score 8.0 or greater: 22

Figure 1: Elevation of Privilege issues once again lead the month by volume, though just three of those are Critical-severity

Products

As is our custom for this list, CVEs that apply to more than one product family are counted once for each family they affect. We note, by the way, that CVE names don’t always reflect affected product families closely. In particular, some CVEs names in the Office family may mention products that don’t appear in the list of products affected by the CVE, and vice versa.

Figure 2: Windows bugs make up just over half the total number for March, but there’s a variety of relatively obscure product families affected by this month’s patches. The Microsoft Devices Pricing Program, familiar to Microsoft’s channel partners in particular, is discussed and the issue described here. The Payment Orchestrator Service platform and the issue patched are discussed here. Both are among the five Critical-severity bugs patched by Microsoft in advance of Patch Tuesday.

Figure 3: A quarter of the way through 2026, Elevation of Privilege issues constitute half of the 255 CVEs covered by Patch Tuesdays so far this year. Just 21 of the CVEs addressed in the normal course of patching have been of Critical severity

Notable March updates

In addition to the issues discussed above, a number of specific items merit attention.

CVE-2026-26110 -- Microsoft Office Remote Code Execution Vulnerability
CVE-2026-26113 -- Microsoft Office Remote Code Execution Vulnerability
CVE-2026-26144 -- Microsoft Excel Information Disclosure Vulnerability

As mentioned above, five of the eight Critical-severity CVEs patched this month were in fact handled before Patch Tuesday, with Microsoft simply providing information on those in the interests of transparency. These three, on the other hand, were not. The first two both list preview pane as a vector; both affect 365 and Office, and SharePoint is also listed for CVE-2026-26113. The remaining CVE, meanwhile, affects 365 but not Office (nor, according to Microsoft’s information, Excel specifically). According to Microsoft, an attacker who successfully exploited this vulnerability could potentially cause Copilot Agent mode to exfiltrate data via unintended network egress, enabling zero-click information disclosure attacks.

CVE-2026-23660 -- Windows Admin Center in Azure Portal Elevation of Privilege Vulnerability

This Important-severity EoP requires some fairly specific administrator interaction, as there is no direct download link. Microsoft says, “Customers need to open the Extensions + Applications blade for their virtual machine in the Azure Portal and search for the extension named AdminCenter (Microsoft.AdminCenter.AdminCenter). From there, they can add or update the extension following the standard Azure VM extension installation process described here.”

CVE-2026-26123 -- Microsoft Authenticator Information Disclosure Vulnerability

This Important-severity information-disclosure issue requires some fairly specific user interaction. According to Microsoft, “the user must have a malicious application installed on their device and then accidentally select that application as the handler for the sign‑in deep link. This can occur when the user scans a QR code or taps a sign‑in link and chooses the malicious app instead of Microsoft Authenticator, causing the sign‑in flow to be handled by the attacker‑controlled app.” The issue affects both Android and iOS.

CVE-2026-24288 -- Windows Mobile Broadband Driver Remote Code Execution Vulnerability

The attack surface for this Important-severity RCE is a little perplexing – “triggered by physically connecting or manipulating hardware that interacts with the affected system” – until you notice that the finder, Nicolas Delhaye, is with aerospace titan Airbus. So… did you plug your phone into the seatback charger on your last flight?

CVE-2026-21262 – SQL Server Elevation of Privilege Vulnerability

This Important-severity bug, one of two that has already been publicly disclosed, came to Microsoft through one of the longest-tenured members of one of the longest-tenured outreach programs at the Redmond company. Erland Sommarskog with Erland Sommarskog SQL-Konsult AB, who has been a Microsoft MVP for twenty-five years, scores a finder credit for this one.

Sophos protections

As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows you’re running, then download the Cumulative Update package for your specific system’s architecture and build number.

Appendix A: Vulnerability Impact and Severity

This is a list of March patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE.

Elevation of Privilege (46 CVEs)

Remote Code Execution (14 CVEs)

Information Disclosure (10 CVEs)

Denial of Service (4 CVEs)

Spoofing (4 CVEs)

Security Feature Bypass (3 CVEs)

Appendix B: Exploitability and CVSS

This is a list of the six March CVEs judged by Microsoft to be more likely to be exploited in the wild within the first 30 days post-release. The list is arranged by CVE.

These are the March CVEs with a Microsoft-assessed CVSS Base score of 8.0 or higher. They are arranged by score and further sorted by CVE. For more information on how CVSS works, please see our series on patch prioritization schema.

Appendix C: Products Affected

This is a list of March’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE. Patches that are shared among multiple product families are listed multiple times, once for each product family. Certain issues for which advisories have been issued are covered in Appendix D, and issues affecting Windows Server are further sorted in Appendix E. All CVE titles are accurate as made available by Microsoft; for further information on why certain products may appear in titles and not product families (or vice versa), please consult Microsoft.

Windows (48 CVEs)

Azure (13 CVEs)

365 (7 CVEs)

Office (7 CVEs)

Excel (4 CVEs)

SharePoint (3 CVEs)

SQL Server (2 CVEs)

NET (2 CVEs)

ASP.NET (1 CVE)

GitHub Repo: Zero Shot scFoundation (1 CVE)

Microsoft Authenticator (1 CVE)

Microsoft Devices Pricing Program (1 CVE)

Payment Orchestrator Service (1 CVE)

PowerShell (1 CVE)

System Center Operations Manager (SCOM) (1 CVE)

Appendix D: Advisories and Other Products

March includes a CVE concerning an Important-severity RCE bug in Microsoft Semantic Kernel that rates a lofty 9.9 Base CVSS, though Microsoft judges that exploitation of the issue is unlikely within the next 30 days. There is a listed mitigation for this issue, which is to avoid using InMemoryVectorStore for production scenarios.

There are also ten Edge-related advisories listed in March’s release; all but CVE-2026-26140 were patched prior to Tuesday’s release. All but CVE-2026-3545 are marked in Microsoft’s information as unlikely to be exploited within the next 30 days.

Finally, there are three updates from Adobe, all affecting Reader 25.001.20982, 24.001.30264 (Windows), 24.001.30273 (Mac) and earlier; they are addresseḍ in APSB26-26.

Appendix E: Affected Windows Server versions

This is a table of the 45 CVEs in the March release affecting Windows Server versions 2012 through 2025. The table differentiates among major versions of the platform but doesn’t go into deeper detail (eg., Server Core). An “x” indicates that the CVE does not apply to that version. CVE-2026-23667, CVE-2026-24282, and CVE-2026-24288 affect only client-side versions of Windows and are thus not included in the table.

Administrators are encouraged to use this appendix as a starting point to ascertain their specific exposure, as each reader’s situation, especially as it concerns products out of mainstream support, will vary. For specific Knowledge Base numbers, please consult Microsoft.