Each month, the team at Readiness analyzes the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. March’s release addresses 83 vulnerabilities across Windows, Office, SQL Server, Azure, and .NET — a moderate volume with two publicly disclosed zero-days affecting SQL Server and .NET, though neither is being actively exploited in the wild. Six additional vulnerabilities are flagged as “Exploitation More Likely,” spanning the Windows Kernel, Graphics Component, SMB Server, Accessibility Infrastructure, and Winlogon. The most significant change this month is the introduction of Common Log File System (CLFS) hardening with signature verification — a major functional change that will affect how Windows handles log files across the operating system. Secure Boot and BitLocker testing continues from previous months. The breadth of component updates — file systems, networking, routing, accessibility, graphics, SMB, and telephony — warrants thorough regression testing before broad deployment.
CLFS Hardening (Major Functional Change)
The headline change in March’s release is a new hardening feature for the Common Log File System (CLFS), delivered in KB5079473 for Windows 11 24H2. CLFS is a general-purpose logging subsystem used by transactional NTFS, failover clustering, Windows Update, and many line-of-business applications. The update introduces signature verification for CLFS log files, operating in two modes. Learning Mode (the initial phase) automatically signs existing unsigned log files when they are first opened and audits events without blocking access. Enforcement Mode actively blocks log files that are unsigned or have mismatched signatures. This is a phased rollout — machines begin in Learning Mode, and administrators must manually switch to Enforcement Mode via registry configuration when satisfied that all log files have been properly signed.
- In Learning Mode, run a Windows Update check and install any available updates to verify update flows complete without errors
- Test backup and restore scenarios, as these rely heavily on CLFS-based transaction logging
- If your environment uses failover clustering or shared storage, validate that shared log files accessed from multiple machines are correctly signed and accessible
- Verify that line-of-business applications that use transactional logging start and operate normally in Learning Mode
- Switch to Enforcement Mode (Mode = 0), restart, and repeat the above tests; confirm that any unsigned log files created before the update are now blocked and that the system logs appropriate events
- Monitor Event Viewer for CLFS-related audit entries and errors throughout testing, particularly during Windows upgrade flows and application startup
Secure Boot & BitLocker (Continuing)
Secure Boot and BitLocker testing continues from previous months, with six specific test scenarios provided by Microsoft this cycle. These tests validate the interaction between Secure Boot state, BitLocker encryption, and key rolling related to the ongoing CVE-2023-24932 mitigation. Given the potential for boot failures and BitLocker recovery prompts, these tests should only be performed on dedicated test devices with recovery keys backed up in advance.
- Enable BitLocker on the OS drive, verify TPM protectors are present, then disable and verify the drive is fully decrypted
- Enable BitLocker on a data drive, verify protectors, then disable and verify decryption completes
- With Secure Boot enabled, enable BitLocker, then trigger the recovery screen and verify the recovery key unlocks the drive successfully
- With Secure Boot disabled, enable BitLocker, force recovery by modifying BCD test signing settings, unlock with the recovery key, then suspend BitLocker and verify normal boot resumes
- With Secure Boot and BitLocker both enabled, apply the Secure Boot key update (CVE-2023-24932) and verify the system boots normally without triggering a recovery screen
- Enable both Secure Boot and BitLocker, configure hibernation, put the system into hibernate, and verify it resumes to the correct state without recovery prompts
File Systems
Four file system drivers received updates this month: exFAT (CVE-2026-25174, 7.8), NTFS (CVE-2026-25175, 7.8), ReFS (CVE-2026-23673, 7.8), and UDF (CVE-2026-23672, 7.8). All four are elevation of privilege vulnerabilities. The Windows test guidance calls for validation of end-of-file handling, file allocation, and offset operations across all four file systems.
- Test file operations on exFAT-formatted USB drives and SD cards: create, copy, move, and delete files of varying sizes, including files that fill the volume near capacity
- Validate NTFS operations including large file copies, sparse files, and files with extended attributes
- On servers using ReFS, verify volume integrity, file copy operations, and Storage Spaces Direct workloads
- Mount UDF-formatted optical media or ISO images and verify files can be read and browsed without errors
- Test end-of-file boundary conditions: create a file, write data to the end, then read back and verify data integrity
Networking & Bluetooth
The Ancillary Function Driver for WinSock (afd.sys) received four patches this month (CVE-2026-24293, CVE-2026-25176, CVE-2026-25178, CVE-2026-25179), making it the most heavily patched component. The Device Association Service (das.dll) and Bluetooth RFCOMM driver (CVE-2026-23671, 7.0) were also updated, along with core network components including NDIS and MUP (Multiple UNC Provider).
- Send and receive data over the network including large file transfers over IPv6, verifying data integrity on completion
- Test messaging applications such as Microsoft Teams and web browsing to exercise WinSock connectivity paths
- Pair and use Bluetooth devices including audio headsets, keyboards, and file transfer via RFCOMM
- Verify SMB, WebDAV, DFS, and NFS access through the Multiple UNC Provider — open files on remote shares using UNC paths and confirm reads and writes succeed
- Test Nearby sharing and device pairing scenarios using the Device Association Service
Graphics, GDI & Accessibility
The Graphics Component received a vulnerability flagged as Exploitation More Likely (CVE-2026-23668, 7.0), alongside updates to GDI (CVE-2026-25190, 7.8) and GDI+ (CVE-2026-25181, 7.5). The Accessibility Infrastructure (ATBroker.exe) also has an Exploitation More Likely vulnerability (CVE-2026-24291, 7.8) and an information disclosure issue (CVE-2026-25186, 5.5). The Windows Shell link processing component (CVE-2026-25185) and the DWM Core Library (CVE-2026-25189, 7.8) were also patched.
- Open and render EMF and WMF metafiles in applications that rely on GDI/GDI+ — verify images display correctly without crashes or rendering artefacts
- Test applications that use the GDI+ library for image processing, including printing workflows
- Verify that On-Screen Keyboard, Magnifier, and Narrator launch and function correctly after applying the update
- Test creation and use of shortcut (.lnk) files — create shortcuts to applications, documents, and network locations, then verify they resolve and open correctly
- Confirm that desktop animations, transparency effects, and window transitions render correctly, particularly on multi-monitor setups with different DPI scaling
SMB & File Sharing
The Windows SMB Server has an Exploitation More Likely vulnerability (CVE-2026-24294, 7.8) alongside a second SMB issue (CVE-2026-26128, 7.8). The Windows File Server component also received a high-scoring patch (CVE-2026-24283, 8.8). Updates to srv.sys, srv2.sys, and srvnet.sys affect all editions from Windows 10 1607 through Windows Server 2025.
- Access files on SMB remote shares with SMB signing enabled — perform read, write, copy, and delete operations
- Repeat the above tests with SMB signing disabled to validate both paths
- Perform sustained file I/O to network shares under load, verifying that connections remain stable and data integrity is maintained
- Test access to SMB shares from different client OS versions to validate cross-version compatibility
Kernel & Winlogon
The Windows Kernel received two Exploitation More Likely vulnerabilities (CVE-2026-24289 and CVE-2026-26132, both 7.8), plus a third kernel issue (CVE-2026-24287, 7.8). Winlogon also has an Exploitation More Likely vulnerability (CVE-2026-25187, 7.8). The kernel updates affect ntoskrnl.exe and prjflt.sys (the Projected File System filter), impacting core I/O operations across all supported Windows versions.
- Test file copy and move operations across local drives, verifying data integrity on large files and directories with deep nesting
- Validate file read and write operations including concurrent access from multiple processes
- Verify file and folder access control permissions are correctly enforced — create restricted files and confirm that unauthorised accounts cannot read or modify them
- Test Winlogon scenarios: interactive logon, logoff, workstation lock and unlock, fast user switching, and Ctrl+Alt+Delete secure attention sequence
- If using Windows Projected File System (e.g. Scalar for large Git repos), verify that projected files materialise correctly on access
Routing, VPN & Remote Access
The Routing and Remote Access Service (RRAS) received three patches this month: CVE-2026-25172 (8.8), CVE-2026-25173 (8.0), and CVE-2026-26111 (8.8). These affect the RRAS management snap-in, packet filtering, and SSTP VPN connectivity. Organisations running Windows Server with the RRAS role should prioritise testing.
- Open the RRAS management snap-in and verify that routing tables and interface configurations display correctly
- Test packet filter rules — create, modify, and delete filters, then verify traffic is correctly permitted or blocked
- Establish and disconnect SSTP VPN connections, verifying that data flows correctly and the tunnel remains stable under sustained use
- Verify static routes and RIP routing configuration persists across service restarts
Telephony & Screen Capture
The Windows Telephony Service received a high-scoring vulnerability (CVE-2026-25188, 8.8) affecting tapisrv.dll. The Broadcast DVR user service (CVE-2026-23667, 7.0) used for screen recording through the Xbox Game Bar was also patched.
- If your environment uses TAPI-based telephony, test line forwarding scenarios with multiple forwarding entries configured
- Open the Xbox Game Bar (Win+G) and test screen capture, video recording, and audio recording — verify captured files play back correctly
SQL Server
SQL Server received three vulnerabilities all scored at 8.8, one of which — CVE-2026-21262, an elevation of privilege issue — is a publicly disclosed zero-day. The remaining two (CVE-2026-26115 and CVE-2026-26116) are remote code execution vulnerabilities. GDR patches span SQL Server 2016 SP3 through SQL Server 2025, with ten separate KB articles covering both RTM and cumulative update baselines across all supported versions. Given the public disclosure, SQL Server patching should be prioritised.
- Install the appropriate GDR patch on top of the correct baseline (RTM or latest CU) for your SQL Server version
- Verify that the SQL Server service starts, accepts connections, and executes queries normally after patching
- Test database backup and restore operations to ensure transactional integrity
- Validate that existing replication and Always On availability groups continue to function correctly
Office & SharePoint
Microsoft Excel received five vulnerabilities (CVE-2026-26107, CVE-2026-26108, CVE-2026-26109, CVE-2026-26112, CVE-2026-26144), with CVE-2026-26109 scoring 8.4. SharePoint Server has three vulnerabilities including CVE-2026-26106 (8.8) and CVE-2026-26114 (8.8). The general Microsoft Office platform received three vulnerabilities including two scored at 8.4 (CVE-2026-26110, CVE-2026-26113).
- Open and edit complex Excel workbooks with formulas, macros, and external data connections
- Validate SharePoint document library operations, co-authoring, and workflow execution
- Test Office add-ins and verify that line-of-business applications integrating with Office operate correctly
- Open documents containing embedded objects and verify they render and activate without errors
.NET & ASP.NET Core
March includes patches for .NET and ASP.NET Core, including a publicly disclosed zero-day: CVE-2026-26127, a denial-of-service vulnerability scored at 7.5 that affects the .NET runtime. A second .NET vulnerability (CVE-2026-26131, EoP, 7.8) and an ASP.NET Core denial-of-service issue (CVE-2026-26130, 7.5) round out the .NET updates. These affect runtime and SDK packages. No application rebuilds or configuration changes are expected, but the public disclosure warrants prompt patching.
- Confirm that existing .NET applications start and execute correctly after installing the runtime update
- Test runtime functionality including file I/O, networking, cryptography, and threading
- Validate ASP.NET Core workloads, particularly those exposed to untrusted input that could trigger the denial-of-service conditions patched this month
Testing PrioritiesWhile none of this month’s vulnerabilities are being actively exploited, the two publicly disclosed zero-days in SQL Server (CVE-2026-21262) and .NET (CVE-2026-26127) mean attackers already have knowledge of these flaws — organisations should not delay patching. The six Exploitation More Likely vulnerabilities — spanning the Windows Kernel, Winlogon, SMB Server, Graphics Component, and Accessibility Infrastructure — affect core operating system stability and should be patched promptly. The CLFS hardening change is the most consequential functional update this cycle; deploy in Learning Mode first and allow sufficient time for all log files to be signed before transitioning to Enforcement Mode, particularly in environments with failover clustering or heavy transactional workloads. Secure Boot and BitLocker validation remains critical for device fleet management as the CVE-2023-24932 key rolling process continues. Organisations using RRAS for VPN or routing should test promptly given the three high-scoring vulnerabilities in that component. SQL Server and .NET administrators should treat their respective zero-days as the highest priority and apply patches before the next business cycle.
