- CVE-2026-24289, CVE-2026-26132 — Home windows Kernel — Elevation of privilege (CVSS 7.8); reminiscence corruption and use-after-free situations enabling SYSTEM escalation from an area authenticated session.
- CVE-2026-25187 — Winlogon — Elevation of privilege (CVSS 7.8); found by Google Mission Zero. Given Winlogon’s place within the authentication path, this can be a high-value goal for post-exploitation.
- CVE-2026-24294 — Home windows SMB Server — Elevation of privilege (CVSS 7.8); authentication flaw permitting privilege escalation on techniques with SMB enabled.
- CVE-2026-24291 — Home windows Accessibility Infrastructure (ATBroker.exe) — Elevation of privilege (CVSS 7.8).
- CVE-2026-23668 — Home windows Graphics Part — Elevation of privilege (CVSS 7.0); race situation.
With no actively exploited vulnerabilities, no crucial scores, and no publicly disclosed points, that is the quietest Home windows month of the 12 months to date. Add these updates to your commonplace deployment schedule. (Sort of wonderful, eh?)
Microsoft Workplace
Microsoft Workplace acquired 12 safety fixes, together with three of them crucial. None are actively exploited or publicly disclosed, and none are flagged as “Exploitation Extra Possible” — however the assault floor warrants consideration.
- CVE-2026-26113, CVE-2026-26110 — Microsoft Workplace — Distant code execution (CVSS 8.4, crucial). Each affirm the Preview Pane as an assault vector — merely previewing a malicious file in Outlook or File Explorer is adequate to set off execution with out additional consumer interplay.
- CVE-2026-26144 — Microsoft Excel — Info disclosure (CVSS 7.5, crucial). It is a novel vulnerability: a network-accessible, zero-click information exfiltration path by Copilot Agent mode. No consumer interplay is required. It’s uncommon to see an data disclosure rated crucial, reflecting the sensitivity of the information uncovered.
The 2 Preview Pane RCEs (CVE-2026-26113, CVE-2026-26110) make this a “Patch Now” launch for Workplace. Organizations that can’t deploy instantly ought to think about briefly disabling the Preview Pane in Outlook and File Explorer.
Microsoft SQL Server and Change
SQL Server has three elevation-of-privilege vulnerabilities, all CVSS 8.8, all enabling authenticated customers to escalate to sysadmin over the community:
- CVE-2026-21262 — Improper entry management. Publicly disclosed (zero-day). Impacts SQL Server 2016 SP3 by 2025.
- CVE-2026-26115 — Improper enter validation. Impacts SQL Server 2016 SP3 by 2025.
- CVE-2026-26116 — SQL injection. Impacts SQL Server 2025 solely.
CVE-2026-21262 is certainly one of this month’s two zero-days. Whereas rated “Exploitation Much less Possible,” the general public disclosure and broad model protection (each supported version) warrant precedence patching for SQL Server environments. Change Server has not obtained any safety updates this month. Add these SQL Server updates to your Patch Now schedule.
Developer instruments
For March, Microsoft addresses 4 vulnerabilities throughout .NET, ASP.NET Core, and Microsoft Semantic Kernel, all rated Necessary, protecting the next:
- CVE-2026-26127 — .NET — Denial of service (CVSS 7.5). Publicly disclosed (zero-day). An unauthenticated out-of-bounds learn affecting .NET 9.0 and 10.0 throughout Home windows, macOS, and Linux.
- CVE-2026-26130 — ASP.NET Core — Denial of service (CVSS 7.5). Unauthenticated useful resource exhaustion throughout ASP.NET Core 8.0, 9.0, and 10.0.
- CVE-2026-26030 — Semantic Kernel Python SDK — Distant code execution (CVSS 9.9). Filter bypass in InMemoryVectorStore; exploitation requires untrusted enter to the filter path. Rated “Exploitation Unlikely.”
- CVE-2026-26131 — .NET 10.0 — Elevation of privilege (CVSS 7.8). Incorrect default permissions on Home windows.
The 2 unauthenticated DoS vulnerabilities are the precedence for internet-facing .NET and ASP.NET Core companies. CVE-2026-26127 is the second of this month’s two zero-days. Add these updates to your “Patch Now” deployment schedule.
Adobe (and third-party updates)
Adobe (however not Microsoft) has launched a single replace (APSB26-26) that impacts Adobe Reader and Acrobat. Because you made it this far, one merchandise price flagging for its novelty: CVE-2026-21536 (CVSS 9.8), a crucial unauthenticated distant code execution vulnerability within the Microsoft Gadgets Pricing Program, was found by XBOW, an autonomous AI-powered penetration testing agent. This marks one of many first critical-severity CVEs in a Microsoft product publicly attributed to an AI safety researcher.
