Microsoft March Patch Tuesday Security Updates Across Windows, Office, SharePoint, .NET, and Azure Components
Microsoft released its March 2026 Patch Tuesday security updates addressing vulnerabilities across a broad set of products, and the Canadian Centre for Cyber Security issued advisory AV26-213 urging organizations to review Microsoft’s guidance and apply the required patches. The advisory highlights updates spanning Windows (10/11 and multiple Windows Server versions), .NET/ASP.NET Core, Microsoft 365, Office/Excel, SharePoint, SQL Server, and multiple Azure-related components and extensions (including Azure Arc/Connected Machine Agent and other Windows/Linux extensions), reflecting a wide attack surface for enterprise environments.
Arctic Wolf’s Patch Tuesday coverage calls out specific fixes affecting Microsoft SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, including CVE-2026-26113, and also notes Office-family updates addressing CVE-2026-26110 and CVE-2026-26113 across Office 2016/2019, Office LTSC 2021/2024 (including Mac), and Office for Android, with referenced KB updates (e.g., 5002843, 5002845, 5002847, 5002850, 5002851, 5002838). Together, the sources indicate that organizations running SharePoint and Office (including Click-to-Run deployments) should prioritize patch validation and deployment using Microsoft’s Security Update Guide and the March 2026 security update listings referenced by the Cyber Centre.
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Microsoft March 2026 Patch Tuesday Vulnerabilities Across SharePoint, Office/Excel, Windows Drivers, and GDI
Microsoft published security advisories for multiple **Important** and **Critical** vulnerabilities affecting *SharePoint Server*, *Microsoft Office/Excel*, Windows components, and *GDI*. The highest-impact server-side issue is **CVE-2026-26114**, a *SharePoint Server* **remote code execution** flaw attributed to **CWE-502 (deserialization of untrusted data)** with a CVSS v3.1 vector `AV:N/AC:L/PR:L/UI:N` (base score shown as 8.8), indicating network reachability with low complexity and requiring low privileges. Microsoft also disclosed **CVE-2026-26105**, a *SharePoint Server* **spoofing** issue mapped to **CWE-79 (XSS)** with `AV:N/AC:L/PR:N/UI:R` (base score shown as 8.1), implying remote exploitation that requires user interaction. On the endpoint/application side, Microsoft listed several *Office/Excel* **remote code execution** vulnerabilities: **CVE-2026-26109** (Excel RCE; **CWE-125 out-of-bounds read**; vector `AV:L/AC:L/PR:N/UI:N`, base score shown as 8.4), **CVE-2026-26108** (Excel RCE; **CWE-122 heap-based buffer overflow**; `AV:L/AC:L/PR:N/UI:R`, base score shown as 7.8), and **CVE-2026-26112** (Excel RCE; **CWE-822 untrusted pointer dereference**; `AV:L/AC:L/PR:N/UI:R`, base score shown as 7.8). Microsoft also published **CVE-2026-26113**, a **Critical** *Microsoft Office* RCE (also **CWE-822**) with `AV:L/AC:L/PR:N/UI:N` (base score shown as 8.4); one reference is a duplicate advisory page for the same CVE. Additional component advisories include **CVE-2026-24288** (Windows Mobile Broadband Driver RCE; **CWE-122**; `AV:P/AC:L/PR:N/UI:N`, base score shown as 6.8, requiring physical access) and **CVE-2026-25190** (GDI RCE; **CWE-426 untrusted search path**; `AV:L/AC:L/PR:N/UI:R`, base score shown as 7.8).
6 days ago
Microsoft March 2026 Patch Tuesday Fixes Two Zero-Days and Dozens of Vulnerabilities
Microsoft’s March 2026 Patch Tuesday shipped fixes for **79 vulnerabilities**, including **two zero-day flaws**. Public reporting and third-party patch reviews highlight a mix of *Important* and *Critical* issues across Microsoft’s ecosystem, including **.NET** (`CVE-2026-26127` DoS; `CVE-2026-26131` EoP), **Active Directory Domain Services** (`CVE-2026-25177` EoP), **ASP.NET Core** (`CVE-2026-26130` DoS), and multiple Azure components such as **ACI Confidential Containers** (`CVE-2026-23651`, `CVE-2026-26124` EoP; `CVE-2026-26122` information disclosure) and **Azure IoT Explorer** (`CVE-2026-26121` spoofing; `CVE-2026-23661/23662/23664` information disclosure). Independent analysis (ZDI and SANS ISC) corroborated the breadth of affected products and provided additional scoring/metadata, including CVSS ratings and exploitability flags. ZDI’s review also called out additional *Critical* items in the release such as **Microsoft Office RCE** (`CVE-2026-26110`, `CVE-2026-26113`) and other high-impact vulnerabilities, while SANS ISC’s Patch Tuesday coverage additionally noted bundled **Chromium**-tracked fixes (multiple `CVE-2026-3536` through `CVE-2026-3544` entries) that commonly map to Microsoft’s browser/embedded Chromium components. Organizations should prioritize patching systems exposed to untrusted content or authentication boundaries (e.g., Office, AD DS, Azure agents/extensions) and validate deployment coverage across both Windows and cloud-connected workloads.
6 days ago
Microsoft February Patch Tuesday Fixes Six Zero-Day Vulnerabilities and Rolls Out New Secure Boot Certificates
Microsoft released its **February 2026 Patch Tuesday** security updates, addressing **54–58 vulnerabilities** across Windows and other Microsoft products, including **six zero-days** that were **publicly disclosed and/or actively exploited** prior to patch availability. Reported zero-days include `CVE-2026-21514` (Office Word security feature bypass), `CVE-2026-21513` (MSHTML security feature bypass), `CVE-2026-21510` (Windows Shell security feature bypass), `CVE-2026-21533` (Windows Remote Desktop Services elevation of privilege), `CVE-2026-21525` (Windows Remote Access Connection Manager DoS), and `CVE-2026-21519` (Desktop Window Manager elevation of privilege). The broader release spans common bug classes such as **RCE**, **EoP**, **information disclosure**, **spoofing**, **DoS**, and **security feature bypass**, with multiple **Critical** issues also called out, including Azure Compute Gallery flaws impacting *ACI Confidential Containers* (`CVE-2026-23655`, `CVE-2026-21522`). As part of the February Windows updates, Microsoft also began a **phased rollout of updated Secure Boot certificates** to replace the original **2011 certificates** ahead of their expiration in **late June 2026**, using “targeting data” and “successful update signals” to control deployment. Windows 11 cumulative updates (including **KB5077181** and **KB5075941**) were released as mandatory Patch Tuesday packages for supported Windows 11 versions, bundling the security fixes alongside additional reliability and feature changes. Separately, Adobe issued February security bulletins covering **44 CVEs** across multiple Creative Cloud products; those Adobe issues were not listed as publicly known or under active attack at release.
1 months ago