Autres informations et services du gouvernement : www.belgium.be Centre for Cybersecurity Belgium
search

Warning: Microsoft Patch Tuesday March 2026 patches 83 vulnerabilities (8 Critical, 75 Important, 0 Moderate), patch Immediately!!

Image
Decorative image
Publié : 11/03/2026

. * Last Update: 11/03/2026

    * Affected products:
         → Multiple Microsoft Products

    * Type: Several types, ranging from Information Disclosure to Remote Code Execution and Privilege Escalation.

    * CVE/CVSS:
Microsoft patched 83 vulnerabilities in its March 2026 Patch Tuesday release, 8 rated as critical, 75 rated important. Including 2 0-day vulnerabilities and 0 vulnerabilities that are actively exploited.

Number of CVE by type:

  • 17 Remote Code Execution vulnerabilities
  • 46 Elevation of Privilege vulnerabilities
  • 10 Information Disclosure vulnerabilities
  • 4 Spoofing vulnerability
  • 4 Denial of Service vulnerabilities
  • 2 Security Feature Bypass vulnerabilities

Sources

Microsoft - https://msrc.microsoft.com/update-guide/releaseNote/2026-mars

Risks

Microsoft has released multiple patches for vulnerabilities covering a range of their products. These monthly releases are called “Patch Tuesday” and contain security fixes for Microsoft devices and software.

Microsoft’s March 2026 Patch Tuesday includes 83 vulnerabilities (8 critical, 75 important, 0 moderate and 0 low), for a wide range of Microsoft products, impacting Microsoft Server and Workstations. This Patch Tuesday includes 0 actively exploited vulnerabilities and 2 zero-days. Some other vulnerabilities are also more likely to be exploited soon, therefore urgent patching is advised.

Description

The CCB would like to point your attention to following vulnerabilities:

CVE-2026-26110: Microsoft Office (Critical)

Remote Code Execution Vulnerability. This critical flaw allows an attacker to execute arbitrary code through a specially crafted Office document. Crucially, the Preview Pane in Microsoft Office serves as an attack vector, meaning a user can be compromised simply by previewing a malicious file, no need to open it.

Given how widely Office documents are shared via email and collaboration platforms, successful exploitation could allow attackers to deploy ransomware, steal data, or establish a foothold for lateral movement inside the organisation.

CVE-2026-26113: Microsoft Office (Critical)

Remote Code Execution Vulnerability. Similar to CVE-2026-26110, this critical flaw enables arbitrary code execution through the Office Preview Pane without requiring the user to fully open a malicious document. An unauthenticated local attacker could exploit this to gain code execution in the context of the current user.

CVE-2026-26144: Microsoft Excel (Critical)

Information Disclosure Vulnerability. Although classified as information disclosure, this flaw is rated Critical due to its novel attack scenario: an attacker can exploit the vulnerability in Excel to cause the Copilot Agent to exfiltrate data from the target system.

This effectively makes it a zero-click information disclosure at the level of the logged-on user. This type of AI-assisted data exfiltration attack is expected to become more common as AI agents become more deeply integrated into productivity tools.

CVE-2026-21262: SQL Server (Publicly disclosed zero-day)

Elevation of Privilege Vulnerability. This publicly disclosed zero-day affects SQL Server 2016 and later editions. An attacker with low-level authorised access can exploit improper access controls to elevate their privileges to SQL Server sysadmin over the network, effectively gaining full administrative control over the database environment. No user interaction is required. The CVSS score of 8.8 reflects the severity of full database compromise, and organisations running SQL Server should prioritise this patch.

CVE-2026-26127: .NET (Publicly disclosed zero-day)

Denial of Service Vulnerability. This publicly disclosed zero-day is an out-of-bounds read vulnerability affecting .NET 9.0 and 10.0 on Windows, macOS, and Linux. An unauthenticated attacker can exploit it remotely over the network to crash services relying on the affected .NET components, causing a denial-of-service condition. The immediate impact is limited to service disruption and Microsoft assesses exploitation as unlikely.

CVE-2026-23669: Windows Print Spooler (Important)

Remote Code Execution Vulnerability. An authenticated attacker can send specially crafted messages to an affected system to achieve arbitrary code execution, with no user interaction required. Given the history of Print Spooler vulnerabilities being rapidly weaponised, organisations should test and deploy this patch quickly to avoid a repeat of previous spooler exploitation campaigns.

CVE-2026-24289: Windows Kernel (Important)

Elevation of Privilege Vulnerability. This is a high-severity memory corruption and race condition flaw in the Windows Kernel that allows a local, authenticated attacker to elevate privileges to SYSTEM. Microsoft has assessed this as "Exploitation More Likely". It has a low attack complexity and it requires no user interaction. Such kernel-level privilege escalation flaws can be used after initial access to deepen an attacker's foothold.

CVE-2026-26132: Windows Kernel (Important)

Elevation of Privilege. Another Windows Kernel elevation of privilege vulnerability assessed as "Exploitation More Likely." A local attacker can exploit a use-after-free condition to gain administrator-level privileges.

CVE-2026-24294: Windows SMB Server (Important)

Elevation of Privilege Vulnerability. This flaw stems from improper authentication and allows a local attacker to elevate to SYSTEM-level privileges. SMB is a widely used protocol in enterprise environments for file sharing and network communication, making this vulnerability particularly relevant for organisations with extensive internal network infrastructure. Microsoft rates this as "Exploitation More Likely."

CVE-2026-25187: Winlogon (Important)

Elevation of Privilege Vulnerability. This vulnerability involves improper link resolution in the Winlogon process that could allow a local attacker to gain SYSTEM privileges. Microsoft rates this as "Exploitation More Likely." Winlogon is a critical Windows component responsible for handling user logon and logoff, making any weakness in this process a high-priority concern for defenders.

Recommended Actions

Patch 
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect 
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

KrebsOnSecurity - https://krebsonsecurity.com/2026/03/microsoft-patch-tuesday-march-2026-edition/
Bleeping Computer - https://www.bleepingcomputer.com/news/microsoft/microsoft-march-2026-patch-tuesday-fixes-2-zero-days-79-flaws/amp/
Tenable - https://www.tenable.com/blog/microsofts-march-2026-patch-tuesday-addresses-83-cves-cve-2026-21262-cve-2026-26127
Zero Day Initiative - https://www.zerodayinitiative.com/blog/2026/3/10/the-march-2026-security-update-review