Table of Contents
What Are the Critical Fixes in the March 2026 Microsoft Patch Tuesday Security Update?
Microsoft Security Update Advisory: March 10, 2026
On March 10, 2026, Microsoft issued essential security updates across its Windows clients, servers, and Office products. The release resolves 83 Common Vulnerabilities and Exposures (CVEs). Eight of these flaws carry a critical severity rating. Two operate as zero-day threats. System administrators must prioritize these patches to maintain network integrity and protect sensitive infrastructure.
Operating System and Server Updates
Microsoft bundles all Windows 10 and 11 patches into cumulative monthly updates. Applying the March package secures your systems against newly identified risks while installing previous baseline fixes. These standard updates also integrate necessary bug corrections and feature enhancements.
Windows 10 version 22H2 reached its standard end of support in October 2025. Organizations still using this version must hold an active Extended Security Updates (ESU) license to receive today’s patches. Windows Server 2012 and 2012 R2 administrators also require an active ESU license, which remains valid until October 2026.
High-Priority Vulnerabilities
The security community has identified several severe threats within this release. SQL Server faces three Elevation of Privilege flaws (CVE-2026-21262, CVE-2026-26115, CVE-2026-2611) carrying a CVSSv3 score of 8.8. Attackers exploiting these gaps could acquire SQL sysadmin privileges. CVE-2026-21262 functions as a publicly known zero-day vulnerability, though active exploitation remains unobserved.
The .NET framework contains a Denial of Service vulnerability (CVE-2026-26127) affecting versions 9.0 and 10.0 across Windows, macOS, and Linux. Public knowledge of this flaw preceded the official patch. Additionally, Linux users running .NET 10 face a performance-related flaw tracked as CVE-2026-26131.
Local, authenticated users could exploit three Windows Kernel vulnerabilities (CVE-2026-24287, CVE-2026-24289, CVE-2026-26132) to gain complete SYSTEM privileges. While Microsoft sees no current active attacks, the company rates CVE-2026-24289 and CVE-2026-26132 as highly likely to see future exploitation.
Cloud and Microsoft Office Security
Azure administrators must patch an Elevation of Privilege flaw (CVE-2026-26118) inside the Azure Model Context Protocol (MCP) server. Malicious actors could manipulate input parameters to steal managed identity tokens. MCP integrates large language models with external tools, making this a highly sensitive attack vector for AI-driven environments.
Microsoft Office carries two critical Remote Code Execution vulnerabilities (CVE-2026-26110, CVE-2026-26113) scoring 8.4 on the CVSSv3 scale. Attackers can trigger these flaws locally without authentication simply through the Windows preview pane.
Microsoft Excel users face two distinct risks requiring immediate attention. The first is a critical data leak flaw (CVE-2026-26144) caused by improper input neutralization. The second is an out-of-scope read error (CVE-2026-26109) permitting local code execution. Finally, SharePoint Server administrators must patch two vulnerabilities (CVE-2026-26106, CVE-2026-26114) that allow authenticated site members to execute remote code via improper input validation and unsafe data deserialization.