March 2026 Patch Tuesday

Each month, the team at Readiness analyzes the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. March’s release addresses 83 vulnerabilities across Windows, Office, SQL Server, Azure, and .NET — a moderate volume with two publicly disclosed zero-days affecting SQL Server and .NET, though neither is being actively exploited in the wild. Six additional vulnerabilities are flagged as “Exploitation More Likely,” spanning the Windows Kernel, Graphics Component, SMB Server, Accessibility Infrastructure, and Winlogon. 

The most significant change this month is the introduction of Common Log File System (CLFS) hardening with signature verification — a major functional change that will affect how Windows handles log files across the operating system. To help navigate these changes to their platforms, the team from Readiness has provided a helpful infographic detailing the risks of deploying updates to each platform.

Known Issues

March is another clean month for known issues. All three desktop KB articles — KB5079473 (Windows 11 25H2/24H2), KB5078883 (Windows 11 23H2), and KB5078885 (Windows 10 22H2) — explicitly state that Microsoft is not currently aware of any issues. 

• CVE-2025-59287 — Windows Server Update Services (WSUS) — Synchronisation error reporting remains intentionally disabled since October 2025 to mitigate this critical CVSS 9.8 unauthenticated RCE. Error details continue to be suppressed in the WSUS console with no timeline for restoration. Affects Server 2016 through Server 2025. Action: No workaround available; monitor Windows Server release health for updates.
• Windows Update Standalone Installer (WUSA) — Continues to fail with ERROR_BAD_PATHNAME when installing .msu packages from network shares containing multiple .msu files. Originated May 2025; affects Windows 11 24H2/25H2 and Server 2025. Action: Mitigated via Known Issue Rollback; copy .msu files to a local directory before installation.

Separately, Microsoft issued an out-of-band update on March 2 (KB5082314) for Windows Server 2022, addressing an issue with Windows Hello for Business certificate renewal in ADFS-based deployments. 

Issues Resolved

The March release resolves a small number of issues from previous updates including:

• A known issue where Secure Launch-capable PCs with Virtual Secure Mode (VSM) enabled were unable to shut down or enter hibernation — instead restarting the device — has been fixed in KB5078885 for Windows 10 22H2. This had been affecting devices since the January 2026 security update.
• A Windows Defender Application Control (WDAC) issue where COM objects were incorrectly blocked despite being covered by allowlisting policies has been resolved in KB5079473 for Windows 11 24H2/25H2. COM objects are now allowed as expected when matching policy rules are configured.

Major Revisions and Mitigations

March is a quiet month for inter-cycle revisions. No previously published CVEs received severity upgrades, expanded affected-product lists, or new action requirements. The most notable inter-patch-cycle action was KB5082314, an out-of-band update released on March 2 for Windows Server 2022. This emergency patch addressed a Windows Hello for Business certificate renewal failure affecting Active Directory Federation Services (ADFS)-based deployments. 

Windows Lifecycle and Enforcement Updates

Two enforcement deadlines covered in our January and February posts are now less than a month away:

• Kerberos RC4 deprecation — In April 2026, the default encryption for service account ticket issuance changes from RC4 to AES-SHA1 for accounts without an explicit msds-SupportedEncryptionTypes attribute. The July 2026 enforcement phase removes the RC4DefaultDisablementPhase registry override entirely.
• Windows Deployment Services (WDS) hardening — In April 2026, hands-free deployment will be disabled by default with a secure-by-default posture.

CLFS Hardening

The headline change in March’s release is a new hardening feature for the Common Log File System (CLFS), delivered in KB5079473 for Windows 11 24H2. CLFS is a general-purpose logging subsystem used by transactional NTFS, failover clustering, Windows Update, and many line-of-business applications. The update introduces signature verification for CLFS log files, operating in two modes. Learning Mode (the initial phase) automatically signs existing unsigned log files when they are first opened and audits events without blocking access. Enforcement Mode actively blocks log files that are unsigned or have mismatched signatures. This is a phased rollout — machines begin in Learning Mode, and administrators must manually switch to Enforcement Mode via registry configuration when satisfied that all log files have been properly signed.

• In Learning Mode, run a Windows Update check and install any available updates to verify update flows complete without errors
• Test backup and restore scenarios, as these rely heavily on CLFS-based transaction logging
• If your environment uses failover clustering or shared storage, validate that shared log files accessed from multiple machines are correctly signed and accessible
• Verify that line-of-business applications that use transactional logging start and operate normally in Learning Mode
• Switch to Enforcement Mode, restart, and repeat the above tests; confirm that any unsigned log files created before the update are now blocked and that the system logs appropriate events
• Monitor Event Viewer for CLFS-related audit entries and errors throughout testing, particularly during Windows upgrade flows and application startup

File Systems

Four file system drivers received updates this month: exFAT (CVE-2026-25174, 7.8), NTFS (CVE-2026-25175, 7.8), ReFS (CVE-2026-23673, 7.8), and UDF (CVE-2026-23672, 7.8). All four are elevation of privilege vulnerabilities. This month’s Windows file system test guidance calls for validation of end-of-file handling, file allocation, and offset operations across all four file systems.

• Test file operations on exFAT-formatted USB drives and SD cards: create, copy, move, and delete files of varying sizes, including files that fill the volume near capacity
• Validate NTFS operations including large file copies, sparse files, and files with extended attributes
• On servers using ReFS, verify volume integrity, file copy operations, and Storage Spaces Direct workloads
• Mount UDF-formatted optical media or ISO images and verify files can be read and browsed without errors

Networking & Bluetooth

The Ancillary Function Driver for WinSock (afd.sys) received four patches this month (CVE-2026-24293, CVE-2026-25176, CVE-2026-25178, CVE-2026-25179), making it the most heavily patched component. The Device Association Service (das.dll) and Bluetooth RFCOMM driver (CVE-2026-23671, 7.0) were also updated, along with core network components including NDIS and MUP (Multiple UNC Provider).

• Test messaging applications such as Microsoft Teams and web browsing to exercise WinSock connectivity paths
• Pair and use Bluetooth devices including audio headsets, keyboards, and file transfer via RFCOMM 
• Verify SMB, WebDAV, DFS, and NFS access through the Multiple UNC Provider — open files on remote shares using UNC paths and confirm reads and writes succeed

Graphics, GDI & Accessibility

The Graphics Component received a vulnerability flagged as Exploitation More Likely (CVE-2026-23668, 7.0), alongside updates to GDI (CVE-2026-25190, 7.8) and GDI+ (CVE-2026-25181, 7.5). The Accessibility Infrastructure (ATBroker.exe) also has an Exploitation More Likely vulnerability (CVE-2026-24291, 7.8) and an information disclosure issue (CVE-2026-25186, 5.5). The Windows Shell link processing component (CVE-2026-25185) and the DWM Core Library (CVE-2026-25189, 7.8) were also patched.

• Open and render EMF and WMF metafiles in applications that rely on GDI/GDI+ — verify images display correctly without crashes or rendering artefacts
• Test applications that use the GDI+ library for image processing, including printing workflows
• Verify that On-Screen Keyboard, Magnifier, and Narrator launch and function correctly after applying the update
• Test creation and use of shortcut (.lnk) files — create shortcuts to applications, documents, and network locations, then verify they resolve and open correctly

SMB & File Sharing

The Windows SMB Server has an Exploitation More Likely vulnerability (CVE-2026-24294, 7.8) alongside a second SMB issue (CVE-2026-26128, 7.8). The Windows File Server component also received a high-scoring patch (CVE-2026-24283, 8.8). Updates to srv.sys, srv2.sys, and srvnet.sys affect all editions from Windows 10 1607 through Windows Server 2025.

• Access files on SMB remote shares with SMB signing enabled — perform read, write, copy, and delete operations
• Repeat the above tests with SMB signing disabled to validate both paths
• Perform sustained file I/O to network shares under load, verifying that connections remain stable and data integrity is maintained
• Test access to SMB shares from different client OS versions to validate cross-version compatibility

Kernel & Winlogon

The Windows Kernel received two Exploitation More Likely vulnerabilities (CVE-2026-24289 and CVE-2026-26132, both 7.8), plus a third kernel issue (CVE-2026-24287, 7.8). Winlogon also has an Exploitation More Likely vulnerability (CVE-2026-25187, 7.8). Testing should include:

• Test Winlogon scenarios: interactive logon, logoff, workstation lock and unlock, fast user switching, and Ctrl+Alt+Delete secure attention sequence
• If using Windows Projected File System (e.g. Scalar for large Git repos), verify that projected files materialise correctly on access

Routing, VPN & Remote Access

The Routing and Remote Access Service (RRAS) received three patches this month: CVE-2026-25172 (8.8), CVE-2026-25173 (8.0), and CVE-2026-26111 (8.8). These affect the RRAS management snap-in, packet filtering, and SSTP VPN connectivity. Organisations running Windows Server with the RRAS role should prioritise testing.

• Open the RRAS management snap-in and verify that routing tables and interface configurations display correctly
• Test packet filter rules — create, modify, and delete filters, then verify traffic is correctly permitted or blocked
• Establish and disconnect SSTP VPN connections, verifying that data flows correctly and the tunnel remains stable under sustained use
• Verify static routes and ensure that RIP routing configuration persists across service restarts

SQL Server

SQL Server received three vulnerabilities, all scored at 8.8, one of which — CVE-2026-21262, an elevation of privilege issue — is a publicly disclosed zero-day. The remaining two (CVE-2026-26115 and CVE-2026-26116) are elevation of privilege vulnerabilities. GDR patches span SQL Server 2016 SP3 through SQL Server 2025, with ten separate KB articles covering both RTM and cumulative update baselines across all supported versions. Given the public disclosure, SQL Server patching should be prioritised.

• Install the appropriate GDR patch on top of the correct baseline (RTM or latest CU) for your SQL Server version
• Verify that the SQL Server service starts, accepts connections, and executes queries normally after patching
• Test database backup and restore operations to ensure transactional integrity

Office & SharePoint

Microsoft Excel received five vulnerabilities (CVE-2026-26107, CVE-2026-26108, CVE-2026-26109, CVE-2026-26112, CVE-2026-26144), with CVE-2026-26109 scoring 8.4. SharePoint Server has three vulnerabilities including CVE-2026-26106 (8.8) and CVE-2026-26114 (8.8). The general Microsoft Office platform received three vulnerabilities including two scored at 8.4 (CVE-2026-26110, CVE-2026-26113).

• Open and edit complex Excel workbooks with formulas, macros, and external data connections
• Validate SharePoint document library operations, co-authoring, and workflow execution
• Test Office add-ins and verify that line-of-business applications integrating with Office operate correctly
• Open documents containing embedded objects and verify they render and activate without errors

.NET & ASP.NET Core

March includes patches for .NET and ASP.NET Core, including a publicly disclosed zero-day: CVE-2026-26127, a denial-of-service vulnerability scored at 7.5 that affects the .NET runtime. A second .NET vulnerability (CVE-2026-26131, EoP, 7.8) and an ASP.NET Core denial-of-service issue (CVE-2026-26130, 7.5) round out the .NET updates. These affect runtime and SDK packages. No application rebuilds or configuration changes are expected, but the public disclosure warrants prompt patching.

• Test runtime functionality including file I/O, networking, cryptography, and threading
• Validate ASP.NET Core workloads, particularly those exposed to untrusted input that could trigger the denial-of-service conditions patched this month

The six “Exploitation More Likely” rated vulnerabilities — spanning the Windows Kernel, Winlogon, SMB Server, Graphics Component, and Accessibility Infrastructure — affect core operating system stability and will need immediate attention. Organisations using RRAS for VPN or routing should give priority to the three high-scoring vulnerabilities in that component. 

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

• Browsers (Microsoft IE and Edge) 
• Microsoft Windows (both desktop and server) 
• Microsoft Office
• Microsoft Exchange and SQL Server 
• Microsoft Developer Tools (Visual Studio and .NET)
• Adobe (if you get this far) 

Microsoft Edge (and Chromium)

Microsoft republished ten Chromium security fixes for Microsoft Edge this cycle, alongside one Edge-specific vulnerability. None are actively exploited or publicly disclosed.

• CVE-2026-26133 — M365 Copilot — Information disclosure (CVSS 7.1, Important); surfaces through Edge for Android and iOS. Customer action required.

The Chromium update addresses issues across several components covering CVE-2026-3536 (integer overflow in ANGLE), CVE-2026-3538 (integer overflow in Skia), and CVE-2026-3544 (heap buffer overflow in WebCodecs). Organisations should refer to the Chrome Releases blog for Google’s severity assessments. Add these low-impact browser updates to your standard release schedule.

Microsoft Windows

Windows accounts for 48 of this month’s 83 CVEs, all rated Important. There are no actively exploited or publicly disclosed vulnerabilities in the Windows category this cycle. Microsoft has flagged six CVEs as “Exploitation More Likely,” all elevation of privilege vulnerabilities that include:

• CVE-2026-24289, CVE-2026-26132 — Windows Kernel — Elevation of privilege (CVSS 7.8); memory corruption and use-after-free conditions enabling SYSTEM escalation from a local authenticated session.
• CVE-2026-25187 — Winlogon — Elevation of privilege (CVSS 7.8); discovered by Google Project Zero. Given Winlogon’s position in the authentication path, this is a high-value target for post-exploitation.
• CVE-2026-24294 — Windows SMB Server — Elevation of privilege (CVSS 7.8); authentication flaw allowing privilege escalation on systems with SMB enabled.
• CVE-2026-24291 — Windows Accessibility Infrastructure (ATBroker.exe) — Elevation of privilege (CVSS 7.8).
• CVE-2026-23668 — Windows Graphics Component — Elevation of privilege (CVSS 7.0); race condition.

With no actively exploited vulnerabilities, no critical ratings, and no publicly disclosed issues, this is the quietest Windows month of 2026 so far. Add these updates to your standard deployment schedule (kind of amazing, eh?).

Microsoft Office

Microsoft Office receives 12 security fixes this month, including three rated critical. None are actively exploited or publicly disclosed, and none are flagged as “Exploitation More Likely” — but the attack surface warrants attention.

• CVE-2026-26113, CVE-2026-26110 — Microsoft Office — Remote code execution (CVSS 8.4, critical). Both confirm the Preview Pane as an attack vector — simply previewing a malicious file in Outlook or File Explorer is sufficient to trigger execution without further user interaction. 
• CVE-2026-26144 — Microsoft Excel — Information disclosure (CVSS 7.5, critical). This is a novel vulnerability: a network-accessible, zero-click data exfiltration path through Copilot Agent mode. No user interaction is required. It is unusual to see an information disclosure rated critical, reflecting the sensitivity of the data exposed. 

The two Preview Pane RCEs (CVE-2026-26113, CVE-2026-26110) make this a Patch Now release for Office. Organisations that cannot deploy immediately should consider disabling the Preview Pane in Outlook and File Explorer as a temporary mitigation.

Microsoft SQL Server and Exchange

SQL Server has three elevation of privilege vulnerabilities, all CVSS 8.8, all enabling authenticated users to escalate to sysadmin over the network:

• CVE-2026-21262 — Improper access control. Publicly disclosed (zero-day). Affects SQL Server 2016 SP3 through 2025.
• CVE-2026-26115 — Improper input validation. Affects SQL Server 2016 SP3 through 2025.
• CVE-2026-26116 — SQL injection. Affects SQL Server 2025 only.

CVE-2026-21262 is one of this month’s two zero-days. While rated “Exploitation Less Likely,” the public disclosure and broad version coverage (every supported edition) warrant prioritised patching for SQL Server environments. Exchange Server has not received any security updates this month. Add these SQL Server updates to your Patch Now schedule.

Developer Tools

For this March Patch Tuesday, Microsoft addresses four vulnerabilities across .NET, ASP.NET Core, and Microsoft Semantic Kernel, all rated Important, covering the following:

• CVE-2026-26127 — .NET — Denial of service (CVSS 7.5). Publicly disclosed (zero-day). An unauthenticated out-of-bounds read affecting .NET 9.0 and 10.0 across Windows, macOS, and Linux.
• CVE-2026-26130 — ASP.NET Core — Denial of service (CVSS 7.5). Unauthenticated resource exhaustion across ASP.NET Core 8.0, 9.0, and 10.0.
• CVE-2026-26030 — Semantic Kernel Python SDK — Remote code execution (CVSS 9.9). Filter bypass in InMemoryVectorStore; exploitation requires untrusted input to the filter path. Rated “Exploitation Unlikely.”
• CVE-2026-26131 — .NET 10.0 — Elevation of privilege (CVSS 7.8). Incorrect default permissions on Windows.

The two unauthenticated DoS vulnerabilities are the priority for internet-facing .NET and ASP.NET Core services. CVE-2026-26127 is the second of this month’s two zero-days. Add these updates to your Patch Now deployment schedule.

Adobe (and 3rd party updates)

Adobe (but not Microsoft) has released a single update (APSB26-26) that affects Adobe Reader and Acrobat. Since you made it this far, one item worth flagging for its novelty: CVE-2026-21536 (CVSS 9.8), a critical unauthenticated remote code execution vulnerability in the Microsoft Devices Pricing Program, was discovered by XBOW, an autonomous AI-powered penetration testing agent. This marks one of the first critical-severity CVEs in a Microsoft product publicly attributed to an AI security researcher.