Microsoft Patches 83 CVEs in March Update

APPLICATION SECURITY VULNERABILITIES & THREATS CYBER RISK ENDPOINT SECURITY NEWS Microsoft Patches 83 CVEs in March Update For a change, there's little in this month's Patch Tuesday that should cause panic, according to security experts. Jai Vijayan,Contributing Writer March 10, 2026 4 Min Read SOURCE: JANEWS VIA SHUTTERSTOCK Microsoft this week released patches for 83 CVEs across its product range, six of which it expects attackers are more like to exploit for a variety of reasons. The patch drop is larger than last month's relatively light 63-patch security update and contains the usual mix of privilege escalation vulnerabilities, remote code execution (RCE) flaws, denial of service issues, vulnerabilities that enable data theft and other bugs. However, there's little in the set that merits an immediate all-hands-on-deck kind of response that some Microsoft updates warrant, according to security experts.  For the most part, Microsoft's March patch release should pose relatively fewer challenges than usual, observed Tyler Reguly, associate director of security R&D at Fortra. "I don't see a lot of reasons for people to stress," Reguly said in statement to Dark Reading. The only vulnerability to which Microsoft assigned a near maximum severity score has already been fixed and requires no user action.  Related:GlassWorm Malware Evolves to Hide in Dependencies "The messaging this month should be, 'Apply your patches after you finish your testing cycles,'" he said. "There's nothing that requires rushing patches, nothing that requires panic … this is just a nice, quiet Patch Tuesday." A Relatively Light Month Microsoft assigned a CVSS severity score of more than 9 out of a 10 to just one vulnerability in this month's set — CVE-2027-21536 (CVSS 9.8), an RCE vulnerability related to Microsoft Devices Pricing Program for channel partners and distributors.  Ben McCarthy, lead cyber security engineer at Immersive, described the flaw as notable for being one of the first known vulnerabilities that an AI agent identified and that has an official CVE. "Although Microsoft has already patched and mitigated the vulnerability, it highlights a shift toward AI-driven discovery of complex vulnerabilities at increasing speed," he said in an emailed comment. Eight of the flaws disclosed this week have a severity rating of critical. Two others were publicly known prior to this week's patch update: CVE-2026-26127 (CVSS 7.5), a .NET denial of service vulnerability, and CVE-2026-21262 (CVSS 8.8), a SQL Server elevation of privilege flaw. Both bugs are technically zero-day flaws, but neither pose much of a threat, according to Satnam Narang, senior staff research engineer at Tenable. "Their public disclosure prior to today is the only novel trait," he said in a statement. "These bugs are more bark than bite. The DoS vulnerability is assessed as unlikely to be exploited and requires an attacker to be authorized beforehand, while the privilege escalation bug was deemed less likely to be exploited." Related:Real-Time Banking Trojan Strikes Brazil's Pix Users EoP Bugs Rule Elevation of privilege (EoP) bugs handily beat out all other vulnerability categories in Microsoft's Patch Tuesday this month and accounted for some 55.4% of the patched CVEs by Tenable's count. RCE vulnerabilities, which are often — and not always correctly — assumed more dangerous than EoP vulnerabilities, clocked in at 20.5%.  Among the EoP vulnerabilities that security vendors highlighted were three affecting the Windows kernel: CVE-2026-24289 (CVSS 7.8), CVE-2026-26132 (CVSS 7.8), and CVE-2026-24287 (CVSS 7.8). Of these, Microsoft assessed CVE-2026-24289 and CVE-2026-26132 as flaws that attackers would more likely exploit because they involve low attack complexity, no special privileges, and no user interaction. Amol Sarwate, head of security research at Cohesity, recommended that administrators also pay attention to two other EoP vulnerabilities, because attackers will more likely attempt to exploit them: CVE-2026-24294 (CVSS 7.8) in SMB Server, and CVE-2026-23668 (CVSS 7.0) in Microsoft Graphics Component. "Elevation of privilege is one of the attackers' primary methods for gaining access to networks and maintaining dwell time," Sarwate said in emailed comments. Related:Xygeni GitHub Action Compromised Via Tag Poison RCE Bugs Worth Noting The RCE vulnerabilities that security experts pointed to as more noteworthy in this month's set are two affecting Microsoft Office: CVE-2026-26113 (CVSS 8.4) and CVE-2026-26110 (CVSS 8.4). The Preview Pane is an attack vector in both cases, meaning a user could be compromised without having to open a malcious document or file.  "If the security update cannot be applied immediately, organizations should disable the Preview Pane in file explorers and restrict the opening of Office files from untrusted sources," advised Jack Bicer, director of vulnerability research at Action1, in a statement. "Implementing email filtering, attachment scanning, and endpoint protection monitoring can also reduce the risk of malicious document delivery." CVE-2026-25190 (CVS 7.8), an RCE vulnerability in GDI; and CVE-2026-25181 (CVSS 7.5), an information disclosure vulnerability in GDI+, the graphics APIs in Windows, are two vulnerabilities in Microsoft's less-likely-to-be-exploited list this month. But when chained, the two flaws enable a dual-stage attack that a bad actor could use to bypass a Windows security feature and execute arbitrary code. However, pulling off such an attack would take some doing, according to Ryan Braunstein, security manager at Automox.  "The precision required to pull this off suggests nation-state-level investment," he said in an emailed comment, "but the payoff matches: clean, reliable remote code execution on the target system." About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like APPLICATION SECURITY Microsoft & Anthropic MCP Servers at Risk of RCE, Cloud Takeovers by Nate Nelson, Contributing Writer JAN 20, 2026 APPLICATION SECURITY Microsoft Fixes Exploited Zero Day in Light Patch Tuesday by Jai Vijayan, Contributing Writer DEC 09, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 APPLICATION SECURITY 10 Bugs Found in Perplexity AI's Chatbot Android App by Nate Nelson, Contributing Writer APR 11, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE