For March, Patch Tuesday delivers fixes for 83 vulnerabilities

For March, Patch Tuesday delivers fixes for 83 vulnerabilities

5gDedicated
Yanac

The team at Readiness each month analyzes the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. The March release addresses 83 vulnerabilities across Windows, Office, SQL Server, Azure, and .NET — a moderate volume with two publicly disclosed zero-days affecting SQL Server and .NET (though neither is being actively exploited in the wild.)

Six additional vulnerabilities spanning the Windows Kernel, Graphics Component, SMB Server, Accessibility Infrastructure, and Winlogon are flagged as “Exploitation More Likely.”

The most significant change this month is the introduction of Common Log File System (CLFS) hardening with signature verification, which will affect how Windows handles log files across the operating system. 

To help navigate these changes, the Readiness team has created a useful infographic detailing the risks of deploying the updates. (More information about recent Patch Tuesday releases is available here.)

Known issues

March is another clean month for known issues. All three desktop KB articles — KB5079473 (Windows 11 25H2/24H2), KB5078883 (Windows 11 23H2), and KB5078885 (Windows 10 22H2) — explicitly say Microsoft is not currently aware of any issues. 

CVE-2025-59287 — Windows Server Update Services (WSUS) — Synchronization error reporting remains intentionally disabled since October 2025 to mitigate this critical CVSS 9.8 unauthenticated RCE. Error details continue to be suppressed in the WSUS console with no timeline for restoration. Server 2016 through Server 2025 are affected. Action: There’s no workaround available; monitor Windows Server release health for updates.

Windows Update Standalone Installer (WUSA) — Continues to fail with ERROR_BAD_PATHNAME when installing .msu packages from network shares containing multiple .msu files. Originated May 2025, it affects Windows 11 24H2/25H2 and Server 2025. Action: This can be mitigated via Known Issue Rollback; copy .msu files to a local directory before installation.

Separately, Microsoft issued an out-of-band update on March 2 (KB5082314) for Windows Server 2022, addressing an issue with Windows Hello for Business certificate renewal in ADFS-based deployments. 

Issues resolved

The March release resolves a small number of issues from previous updates, including:

A known issue where Secure Launch-capable PCs with Virtual Secure Mode (VSM) enabled were unable to shut down or enter hibernation — instead the device restarted. It has been fixed in KB5078885 for Windows 10 22H2. This had been affecting devices since the January 2026 security update.

A Windows Defender Application Control (WDAC) issue where COM objects were incorrectly blocked despite being covered by allowlisting policies has been resolved in KB5079473 for Windows 11 24H2/25H2. COM objects are now allowed as expected when matching policy rules are configured.

Major revisions and mitigations

March is a quiet month for inter-cycle revisions. No previously published CVEs received severity upgrades, expanded affected-product lists, or new action requirements. The most notable inter-patch-cycle action was the KB5082314 out-of-band update.

Windows lifecycle and enforcement updates

Two enforcement deadlines covered in our January and February posts are now less than a month away:

Kerberos RC4 deprecation — Next month, the default encryption for service account ticket issuance changes from RC4 to AES-SHA1 for accounts without an explicit msds-SupportedEncryptionTypes attribute. The July 2026 enforcement phase removes the RC4DefaultDisablementPhase registry override entirely.

Windows Deployment Services (WDS) hardening — Also in April, hands-free deployment will be disabled by default with a secure-by-default posture.

CLFS hardening

The headline change with this release is the new hardening feature for the CLFS, delivered in KB5079473 for Windows 11 24H2. CLFS is a general-purpose logging subsystem used by transactional NTFS, failover clustering, Windows Update, and many line-of-business applications. The update introduces signature verification for CLFS log files and operates in two modes. Learning Mode (the initial phase) automatically signs existing unsigned log files when they are first opened and audits events without blocking access. Enforcement Mode actively blocks log files that are unsigned or have mismatched signatures. This is a phased rollout — machines begin in Learning Mode, and administrators must manually switch to Enforcement Mode via registry configuration when satisfied that all log files have been properly signed.

In Learning Mode, run a Windows Update check and install any available updates to verify update flows complete without errors.

Test backup and restore scenarios, as these rely heavily on CLFS-based transaction logging.

If your environment uses failover clustering or shared storage, validate that shared log files accessed from multiple machines are correctly signed and accessible.

Verify that line-of-business applications that use transactional logging start and operate normally in Learning Mode.

Switch to Enforcement Mode, restart, and repeat the above tests; confirm that any unsigned log files created before the update are now blocked and that the system logs appropriate events.

Monitor Event Viewer for CLFS-related audit entries and errors throughout testing, particularly during Windows upgrade flows and application startup.

File Systems

Four file system drivers got updates: exFAT (CVE-2026-25174, 7.8), NTFS (CVE-2026-25175, 7.8), ReFS (CVE-2026-23673, 7.8), and UDF (CVE-2026-23672, 7.8). All four are elevation-of-privilege vulnerabilities. This month’s Windows file system test guidance calls for validation of end-of-file handling, file allocation, and offset operations across all four file systems.

Test file operations on exFAT-formatted USB drives and SD cards: create, copy, move, and delete files of varying sizes, including files that fill the volume near capacity.

Validate NTFS operations including large file copies, sparse files, and files with extended attributes.

On servers using ReFS, verify volume integrity, file copy operations, and Storage Spaces Direct workloads.

Mount UDF-formatted optical media or ISO images and verify files can be read and browsed without errors.

Networking and bluetooth

The Ancillary Function Driver for WinSock (afd.sys) received four patches (CVE-2026-24293, CVE-2026-25176, CVE-2026-25178, CVE-2026-25179), making it the most heavily patched component. The Device Association Service (das.dll) and Bluetooth RFCOMM driver (CVE-2026-23671, 7.0) were also updated, along with core network components including NDIS and MUP (Multiple UNC Provider).

Test messaging applications such as Microsoft Teams and web browsing to exercise WinSock connectivity paths.

Pair and use Bluetooth devices including audio headsets, keyboards, and file transfer via RFCOMM.

Verify SMB, WebDAV, DFS, and NFS access through the Multiple UNC Provider — open files on remote shares using UNC paths and confirm reads and writes succeed.

Graphics, GDI and accessibility

The Graphics Component received a vulnerability flagged as Exploitation More Likely (CVE-2026-23668, 7.0), alongside updates to GDI (CVE-2026-25190, 7.8) and GDI+ (CVE-2026-25181, 7.5). The Accessibility Infrastructure (ATBroker.exe) also has an Exploitation More Likely vulnerability (CVE-2026-24291, 7.8) and an information disclosure issue (CVE-2026-25186, 5.5). The Windows Shell link processing component (CVE-2026-25185) and the DWM Core Library (CVE-2026-25189, 7.8) were also patched.

Open and render EMF and WMF metafiles in applications that rely on GDI/GDI+ — verify images display correctly without crashes or rendering artifacts.

Test applications that use the GDI+ library for image processing, including printing workflows.

Verify that On-Screen Keyboard, Magnifier, and Narrator launch and function correctly after applying the update.

Test creation and use of shortcut (.lnk) files — create shortcuts to applications, documents, and network locations, then verify they resolve and open correctly.

SMB and file sharing

The Windows SMB Server has an Exploitation More Likely vulnerability (CVE-2026-24294, 7.8) alongside a second SMB issue (CVE-2026-26128, 7.8). The Windows File Server component also received a high-scoring patch (CVE-2026-24283, 8.8). Updates to srv.sys, srv2.sys, and srvnet.sys affect all editions from Windows 10 1607 through Windows Server 2025.

Access files on SMB remote shares with SMB signing enabled — perform read, write, copy, and delete operations.

Repeat the above tests with SMB signing disabled to validate both paths.

Perform sustained file I/O to network shares under load, verifying that connections remain stable and data integrity is maintained.

Test access to SMB shares from different client OS versions to validate cross-version compatibility.

Kernel and Winlogon

The Windows Kernel received two Exploitation More Likely vulnerabilities (CVE-2026-24289 and CVE-2026-26132, both 7.8), plus a third kernel issue (CVE-2026-24287, 7.8). Winlogon also has an Exploitation More Likely vulnerability (CVE-2026-25187, 7.8). Testing should include:

Test Winlogon scenarios: interactive logon, logoff, workstation lock and unlock, fast user switching, and Ctrl+Alt+Delete secure attention sequence.

If using Windows Projected File System (e.g. Scalar for large Git repos), verify that projected files materialize correctly on access.

Routing, VPN and remote access

The Routing and Remote Access Service (RRAS) received three patches this month: CVE-2026-25172 (8.8), CVE-2026-25173 (8.0), and CVE-2026-26111 (8.8). These affect the RRAS management snap-in, packet filtering, and SSTP VPN connectivity. Organizations running Windows Server with the RRAS role should prioritize testing.

Open the RRAS management snap-in and verify that routing tables and interface configurations display correctly.

Test packet filter rules — create, modify, and delete filters, then verify traffic is correctly permitted or blocked.

Establish and disconnect SSTP VPN connections, verifying that data flows correctly and the tunnel remains stable under sustained use.

Verify static routes and ensure that RIP routing configuration persists across service restarts.

SQL Server

SQL Server had three vulnerabilities, all scored at 8.8, one of which — CVE-2026-21262, an elevation-of-privilege issue — is a publicly disclosed zero-day. The other two (CVE-2026-26115 and CVE-2026-26116) are also elevation-of-privilege vulnerabilities. GDR patches span SQL Server 2016 SP3 through SQL Server 2025, with 10 separate KB articles covering both RTM and cumulative update baselines across all supported versions. Given the public disclosure, SQL Server patching should be prioritized.

Install the appropriate GDR patch on top of the correct baseline (RTM or latest CU) for your SQL Server version.

Verify that the SQL Server service starts, accepts connections, and executes queries normally after patching.

Test database backup and restore operations to ensure transactional integrity.

Office & SharePoint

Microsoft Excel had five vulnerabilities (CVE-2026-26107, CVE-2026-26108, CVE-2026-26109, CVE-2026-26112, CVE-2026-26144), with CVE-2026-26109 scoring 8.4. SharePoint Server had three vulnerabilities, including CVE-2026-26106 (8.8) and CVE-2026-26114 (8.8) as did the Microsoft Office platform; the latter included two scored at 8.4 (CVE-2026-26110, CVE-2026-26113).

Open and edit complex Excel workbooks with formulas, macros, and external data connections.

Validate SharePoint document library operations, co-authoring, and workflow execution.

Test Office add-ins and verify that line-of-business applications integrating with Office operate correctly.

Open documents containing embedded objects and verify they render and activate without errors.

.NET & ASP.NET Core

The March patches for .NET and ASP.NET Core include a publicly disclosed zero-day: CVE-2026-26127, a denial-of-service vulnerability scored at 7.5 that affects the .NET runtime. A second .NET vulnerability (CVE-2026-26131, EoP, 7.8) and an ASP.NET Core denial-of-service issue (CVE-2026-26130, 7.5) round out the .NET updates. These affect runtime and SDK packages. No application rebuilds or configuration changes are expected, but the public disclosure warrants prompt patching.

Test runtime functionality including file I/O, networking, cryptography, and threading.

Validate ASP.NET Core workloads, particularly those exposed to untrusted input that could trigger the denial-of-service conditions patched this month.

The six “Exploitation More Likely” rated vulnerabilities — spanning the Windows Kernel, Winlogon, SMB Server, Graphics Component, and Accessibility Infrastructure — affect core operating system stability and need immediate attention. Organizations using RRAS for VPN or routing should give priority to the three high-scoring flaws. 

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

Browsers (Microsoft IE and Edge) 

Microsoft Windows (both desktop and server) 

Microsoft Office

Microsoft Exchange and SQL Server 

Microsoft Developer Tools (Visual Studio and .NET)

Adobe (if you get this far) 

Microsoft Edge (and Chromium)

Microsoft republished 10 Chromium security fixes for Microsoft Edge this cycle, alongside one Edge-specific vulnerability. None are actively exploited or publicly disclosed.

CVE-2026-26133 — M365 Copilot — Information disclosure (CVSS 7.1, Important); surfaces through Edge for Android and iOS. Customer action required.

The Chromium update addresses issues across several components covering CVE-2026-3536 (integer overflow in ANGLE), CVE-2026-3538 (integer overflow in Skia), and CVE-2026-3544 (heap buffer overflow in WebCodecs). Organizations should refer to the Chrome Releases blog for Google’s severity assessments. Add these low-impact browser updates to your standard release schedule.

Microsoft Windows

Windows accounts for 48 of this month’s CVEs, all rated Important. There are no actively exploited or publicly disclosed vulnerabilities in the Windows category. Microsoft flagged six CVEs as “Exploitation More Likely,” all elevation-of-privilege vulnerabilities that include:

CVE-2026-24289, CVE-2026-26132 — Windows Kernel — Elevation of privilege (CVSS 7.8); memory corruption and use-after-free conditions enabling SYSTEM escalation from a local authenticated session.

CVE-2026-25187 — Winlogon — Elevation of privilege (CVSS 7.8); discovered by Google Project Zero. Given Winlogon’s position in the authentication path, this is a high-value target for post-exploitation.

CVE-2026-24294 — Windows SMB Server — Elevation of privilege (CVSS 7.8); authentication flaw allowing privilege escalation on systems with SMB enabled.

CVE-2026-24291 — Windows Accessibility Infrastructure (ATBroker.exe) — Elevation of privilege (CVSS 7.8).

CVE-2026-23668 — Windows Graphics Component — Elevation of privilege (CVSS 7.0); race condition.

With no actively exploited vulnerabilities, no critical ratings, and no publicly disclosed issues, this is the quietest Windows month of the year so far. Add these updates to your standard deployment schedule. (Kind of amazing, eh?)

Microsoft Office

Microsoft Office got 12 security fixes, including three of them critical. None are actively exploited or publicly disclosed, and none are flagged as “Exploitation More Likely” — but the attack surface warrants attention.

CVE-2026-26113, CVE-2026-26110 — Microsoft Office — Remote code execution (CVSS 8.4, critical). Both confirm the Preview Pane as an attack vector — simply previewing a malicious file in Outlook or File Explorer is sufficient to trigger execution without further user interaction. 

CVE-2026-26144 — Microsoft Excel — Information disclosure (CVSS 7.5, critical). This is a novel vulnerability: a network-accessible, zero-click data exfiltration path through Copilot Agent mode. No user interaction is required. It is unusual to see an information disclosure rated critical, reflecting the sensitivity of the data exposed. 

The two Preview Pane RCEs (CVE-2026-26113, CVE-2026-26110) make this a “Patch Now” release for Office. Organizations that cannot deploy immediately should consider temporarily disabling the Preview Pane in Outlook and File Explorer.

Microsoft SQL Server and Exchange

SQL Server has three elevation-of-privilege vulnerabilities, all CVSS 8.8, all enabling authenticated users to escalate to sysadmin over the network:

CVE-2026-21262 — Improper access control. Publicly disclosed (zero-day). Affects SQL Server 2016 SP3 through 2025.

CVE-2026-26115 — Improper input validation. Affects SQL Server 2016 SP3 through 2025.

CVE-2026-26116 — SQL injection. Affects SQL Server 2025 only.

CVE-2026-21262 is one of this month’s two zero-days. While rated “Exploitation Less Likely,” the public disclosure and broad version coverage (every supported edition) warrant priority patching for SQL Server environments. Exchange Server has not received any security updates this month. Add these SQL Server updates to your Patch Now schedule.

Developer tools

For March, Microsoft addresses four vulnerabilities across .NET, ASP.NET Core, and Microsoft Semantic Kernel, all rated Important, covering the following:

CVE-2026-26127 — .NET — Denial of service (CVSS 7.5). Publicly disclosed (zero-day). An unauthenticated out-of-bounds read affecting .NET 9.0 and 10.0 across Windows, macOS, and Linux.

CVE-2026-26130 — ASP.NET Core — Denial of service (CVSS 7.5). Unauthenticated resource exhaustion across ASP.NET Core 8.0, 9.0, and 10.0.

CVE-2026-26030 — Semantic Kernel Python SDK — Remote code execution (CVSS 9.9). Filter bypass in InMemoryVectorStore; exploitation requires untrusted input to the filter path. Rated “Exploitation Unlikely.”

CVE-2026-26131 — .NET 10.0 — Elevation of privilege (CVSS 7.8). Incorrect default permissions on Windows.

The two unauthenticated DoS vulnerabilities are the priority for internet-facing .NET and ASP.NET Core services. CVE-2026-26127 is the second of this month’s two zero-days. Add these updates to your “Patch Now” deployment schedule.

Adobe (and third-party updates)

Adobe (but not Microsoft) has released a single update (APSB26-26) that affects Adobe Reader and Acrobat. Since you made it this far, one item worth flagging for its novelty: CVE-2026-21536 (CVSS 9.8), a critical unauthenticated remote code execution vulnerability in the Microsoft Devices Pricing Program, was discovered by XBOW, an autonomous AI-powered penetration testing agent. This marks one of the first critical-severity CVEs in a Microsoft product publicly attributed to an AI security researcher. Microsoft’s Patch Tuesday updates: Keeping up with the latest fixes – ComputerworldRead More