Microsoft March 2026 Patch Tuesday Vulnerabilities Across SharePoint, Office/Excel, Windows Drivers, and GDI
Microsoft published security advisories for multiple Important and Critical vulnerabilities affecting SharePoint Server, Microsoft Office/Excel, Windows components, and GDI. The highest-impact server-side issue is CVE-2026-26114, a SharePoint Server remote code execution flaw attributed to CWE-502 (deserialization of untrusted data) with a CVSS v3.1 vector AV:N/AC:L/PR:L/UI:N (base score shown as 8.8), indicating network reachability with low complexity and requiring low privileges. Microsoft also disclosed CVE-2026-26105, a SharePoint Server spoofing issue mapped to CWE-79 (XSS) with AV:N/AC:L/PR:N/UI:R (base score shown as 8.1), implying remote exploitation that requires user interaction.
On the endpoint/application side, Microsoft listed several Office/Excel remote code execution vulnerabilities: CVE-2026-26109 (Excel RCE; CWE-125 out-of-bounds read; vector AV:L/AC:L/PR:N/UI:N, base score shown as 8.4), CVE-2026-26108 (Excel RCE; CWE-122 heap-based buffer overflow; AV:L/AC:L/PR:N/UI:R, base score shown as 7.8), and CVE-2026-26112 (Excel RCE; CWE-822 untrusted pointer dereference; AV:L/AC:L/PR:N/UI:R, base score shown as 7.8). Microsoft also published CVE-2026-26113, a Critical Microsoft Office RCE (also CWE-822) with AV:L/AC:L/PR:N/UI:N (base score shown as 8.4); one reference is a duplicate advisory page for the same CVE. Additional component advisories include CVE-2026-24288 (Windows Mobile Broadband Driver RCE; CWE-122; AV:P/AC:L/PR:N/UI:N, base score shown as 6.8, requiring physical access) and CVE-2026-25190 (GDI RCE; CWE-426 untrusted search path; AV:L/AC:L/PR:N/UI:R, base score shown as 7.8).
Sources
4 more from sources like msrc security advisories and msrc.microsoft.com
Related Stories
Microsoft February 2026 vulnerability disclosures across Windows, Azure, and developer tools
Microsoft published multiple security advisories for **Windows**, **Azure**, and **developer tooling**, including several high-impact issues spanning **remote code execution (RCE)**, **elevation of privilege (EoP)**, **spoofing**, **information disclosure**, **denial of service**, and **security feature bypass**. Notable items include **Azure SDK for Python RCE** `CVE-2026-21531` (CVSS 9.8; **deserialization of untrusted data**), **Windows Shell security feature bypass** `CVE-2026-21510` (CVSS 8.8; exploitability listed as **E:F**), **GitHub Copilot/Visual Studio/VS Code** issues enabling **RCE/EoP/feature bypass** (`CVE-2026-21256`, `CVE-2026-21523`, `CVE-2026-21257`, `CVE-2026-21518`), and **Azure Local RCE** `CVE-2026-21228` (CVSS 8.1; **improper certificate validation**). Additional Windows platform flaws include **Desktop Window Manager EoP** `CVE-2026-21519` (type confusion), **HTTP.sys EoP** `CVE-2026-21232` (untrusted pointer dereference), **WinSock Ancillary Function Driver EoP** `CVE-2026-21238` (improper access control), **Windows Storage EoP** `CVE-2026-21508`, **WSL EoP** `CVE-2026-21237`, **Microsoft Word security feature bypass** `CVE-2026-21514`, **Outlook spoofing** `CVE-2026-21511`, **Windows LDAP DoS** `CVE-2026-21243`, plus **ACI Confidential Containers information disclosure** `CVE-2026-23655` and **Azure IoT Explorer information disclosure** `CVE-2026-21528`. Separately, a detailed third-party writeup described a **Windows Error Reporting Service** local privilege escalation, `CVE-2026-20817`, patched in January 2026, where the **WER service** (`wersvc.dll`) running as `NT AUTHORITY\SYSTEM` allegedly fails to validate requester permissions over **ALPC**, enabling a standard user to trigger process creation with a SYSTEM-derived token (retaining powerful rights such as *SeDebugPrivilege*, *SeImpersonatePrivilege*, and *SeBackupPrivilege*). Another third-party report highlighted a long-standing **libpng** heap buffer issue, `CVE-2026-25646` (CVSS 8.3), in `png_set_quantize()` that can be triggered by a crafted PNG (palette present, histogram absent) leading to an infinite loop/out-of-bounds read with potential for DoS and, with heap grooming, possible code execution; an additional MSRC entry referenced **libjpeg-turbo** `CVE-2023-2804` (heap-based overflow) as an Important RCE-class issue. Collectively, the disclosures reinforce the need to prioritize patching for internet-reachable components and developer tooling, and to treat local EoP bugs as high-risk in post-compromise and lateral movement scenarios.
1 months ago
Microsoft March 2026 Patch Tuesday Fixes Two Zero-Days and Dozens of Vulnerabilities
Microsoft’s March 2026 Patch Tuesday shipped fixes for **79 vulnerabilities**, including **two zero-day flaws**. Public reporting and third-party patch reviews highlight a mix of *Important* and *Critical* issues across Microsoft’s ecosystem, including **.NET** (`CVE-2026-26127` DoS; `CVE-2026-26131` EoP), **Active Directory Domain Services** (`CVE-2026-25177` EoP), **ASP.NET Core** (`CVE-2026-26130` DoS), and multiple Azure components such as **ACI Confidential Containers** (`CVE-2026-23651`, `CVE-2026-26124` EoP; `CVE-2026-26122` information disclosure) and **Azure IoT Explorer** (`CVE-2026-26121` spoofing; `CVE-2026-23661/23662/23664` information disclosure). Independent analysis (ZDI and SANS ISC) corroborated the breadth of affected products and provided additional scoring/metadata, including CVSS ratings and exploitability flags. ZDI’s review also called out additional *Critical* items in the release such as **Microsoft Office RCE** (`CVE-2026-26110`, `CVE-2026-26113`) and other high-impact vulnerabilities, while SANS ISC’s Patch Tuesday coverage additionally noted bundled **Chromium**-tracked fixes (multiple `CVE-2026-3536` through `CVE-2026-3544` entries) that commonly map to Microsoft’s browser/embedded Chromium components. Organizations should prioritize patching systems exposed to untrusted content or authentication boundaries (e.g., Office, AD DS, Azure agents/extensions) and validate deployment coverage across both Windows and cloud-connected workloads.
6 days ago
Microsoft March Patch Tuesday Security Updates Across Windows, Office, SharePoint, .NET, and Azure Components
Microsoft released its **March 2026 Patch Tuesday** security updates addressing vulnerabilities across a broad set of products, and the Canadian Centre for Cyber Security issued advisory **AV26-213** urging organizations to review Microsoft’s guidance and apply the required patches. The advisory highlights updates spanning **Windows (10/11 and multiple Windows Server versions)**, **.NET/ASP.NET Core**, **Microsoft 365**, **Office/Excel**, **SharePoint**, **SQL Server**, and multiple **Azure**-related components and extensions (including Azure Arc/Connected Machine Agent and other Windows/Linux extensions), reflecting a wide attack surface for enterprise environments. Arctic Wolf’s Patch Tuesday coverage calls out specific fixes affecting **Microsoft SharePoint Server Subscription Edition**, **SharePoint Server 2019**, and **SharePoint Enterprise Server 2016**, including **CVE-2026-26113**, and also notes Office-family updates addressing **CVE-2026-26110** and **CVE-2026-26113** across *Office 2016/2019*, *Office LTSC 2021/2024* (including Mac), and *Office for Android*, with referenced KB updates (e.g., `5002843`, `5002845`, `5002847`, `5002850`, `5002851`, `5002838`). Together, the sources indicate that organizations running SharePoint and Office (including Click-to-Run deployments) should prioritize patch validation and deployment using Microsoft’s **Security Update Guide** and the March 2026 security update listings referenced by the Cyber Centre.
5 days ago