Microsoft’s March 2026 Patch Tuesday includes 83 Microsoft CVEs and 10 republished non-Microsoft CVEs.
While none of this month’s vulnerabilities are marked as Exploitation Detected, this is still a release that demands close attention. Microsoft flagged several vulnerabilities as Exploitation More Likely, and the overall patch set includes multiple high-severity issues affecting important enterprise systems.
The biggest takeaway this month is the combination of broad exposure across Windows core services, SQL Server, SharePoint, RRAS, Active Directory Domain Services, and Azure workloads, along with several vulnerabilities that could become attractive targets quickly.
For IT and security teams, March is a month to prioritize patches based on business exposure, attack surface, and operational risk rather than waiting for confirmed exploitation.
Microsoft Patch Breakdown for March 2026
Microsoft’s March 2026 Patch Tuesday spans a wide mix of enterprise systems, making this a month where patch prioritization matters as much as patch volume.
This month’s release affects:
Windows core infrastructure such as Print Spooler, SMB Server, Kerberos, ReFS, NTFS, Winlogon, WinSock, and RRAS
Identity and directory services including Active Directory Domain Services and Azure Entra ID
Office and collaboration platforms such as Excel, SharePoint, and core Office components
Cloud and Azure workloads including Azure Compute Gallery, Azure MCP Server, Azure IoT Explorer, Azure Arc, Azure Linux VMs, and the Azure Windows Virtual Machine Agent
Database and management tooling including SQL Server and System Center Operations Manager
The key story is the breadth of affected enterprise surfaces. Rather than centering on one dominant zero-day, March 2026 stands out because it touches multiple high-value systems that many organizations depend on every day.
For defenders, that makes this a risk-based patching month. Teams should prioritize updates based on internet exposure, privilege level, business criticality, and how broadly each affected product is deployed across the environment.
Zero Day and Exploitation Likely Vulnerabilities
Actively Exploited Zero-Day Vulnerabilities
None of the March 2026 CVEs are marked as Exploitation Detected.
Still, that should not be mistaken for a low-risk Patch Tuesday. Several vulnerabilities are marked Exploitation More Likely, which makes them some of the most important patches to review and deploy quickly.
Vulnerabilities With Higher Likelihood of Exploitation
Microsoft flagged the following vulnerabilities as Exploitation More Likely:
CVE-2026-23668 | Microsoft Graphics Component
CVE-2026-24289 | Windows Kernel
CVE-2026-24291 | Windows Accessibility Infrastructure (ATBroker.exe)
CVE-2026-24294 | Windows SMB Server
CVE-2026-25187 | Winlogon
CVE-2026-26132 | Windows Kernel
These issues affect foundational Windows components that are frequently useful in privilege escalation, persistence, and lateral movement scenarios. Even without confirmed exploitation, they deserve fast validation and rapid deployment.
Critical Vulnerabilities to Watch
March 2026 includes several high-severity vulnerabilities that deserve immediate attention, even without a confirmed exploited zero-day.
Highest Severity Vulnerability
CVE-2026-21536 | Microsoft Devices Pricing Program | CVSS 9.8
This is the highest-scoring vulnerability in this month’s release.
Any organization using the affected service should review exposure immediately and treat it as a top-priority remediation item.
High-Severity Infrastructure and Server Risks
CVE-2026-20967 | System Center Operations Manager | CVSS 8.8
CVE-2026-21262 | SQL Server | CVSS 8.8
CVE-2026-23669 | Windows Print Spooler Components | CVSS 8.8
CVE-2026-24283 | Windows File Server | CVSS 8.8
CVE-2026-25172 | Windows RRAS | CVSS 8.8
CVE-2026-25177 | Active Directory Domain Services | CVSS 8.8
CVE-2026-25188 | Windows Telephony Service | CVSS 8.8
CVE-2026-26111 | Windows RRAS | CVSS 8.8
CVE-2026-26115 | SQL Server | CVSS 8.8
CVE-2026-26116 | SQL Server | CVSS 8.8
These vulnerabilities stand out because they affect systems tied to authentication, database operations, remote access, printing infrastructure, and core IT management workflows.
Collaboration and Productivity Platform Risks
CVE-2026-26106 | Microsoft Office SharePoint | CVSS 8.8
CVE-2026-26114 | Microsoft Office SharePoint | CVSS 8.8
CVE-2026-26109 | Microsoft Office Excel | CVSS 8.4
CVE-2026-26110 | Microsoft Office | CVSS 8.4
CVE-2026-26113 | Microsoft Office | CVSS 8.4
For organizations that rely heavily on Microsoft collaboration and productivity platforms, these issues should be reviewed early in the patch cycle, especially where SharePoint is exposed or broadly used.
Azure and Cloud-Facing Risks
CVE-2026-26118 | Azure MCP Server | CVSS 8.8
CVE-2026-26125 | Payment Orchestrator Service | CVSS 8.6
Cloud and hybrid environments should also review the broader set of Azure-related March CVEs to determine which issues require customer action versus service-side remediation.
Patch Prioritization Guidance for IT Teams
March 2026 is a month to prioritize patching by exposure and business impact, not just by severity score alone.
Patch Within 72 Hours
Focus first on the vulnerabilities that combine high severity with enterprise blast radius:
CVE-2026-21536 | Microsoft Devices Pricing Program
All Exploitation More Likely vulnerabilities:
CVE-2026-23668
CVE-2026-24289
CVE-2026-24291
CVE-2026-24294
CVE-2026-25187
CVE-2026-26132
High-severity infrastructure vulnerabilities:
SQL Server | CVE-2026-21262, CVE-2026-26115, CVE-2026-26116
RRAS | CVE-2026-25172, CVE-2026-26111
AD DS | CVE-2026-25177
SharePoint | CVE-2026-26106, CVE-2026-26114
Windows Print Spooler Components | CVE-2026-23669
System Center Operations Manager | CVE-2026-20967
Azure MCP Server | CVE-2026-26118
Payment Orchestrator Service | CVE-2026-26125
Patch Within One to Two Weeks
After the first wave is validated, focus on the broader set of 7.5–8.1 vulnerabilities, especially where they affect common workloads:
Azure IoT Explorer | CVE-2026-23661, 23662, 23664, 26121
Azure Portal Windows Admin Center | CVE-2026-23660
Azure Linux Virtual Machines | CVE-2026-23665
Windows UDFS / ReFS / NTFS | CVE-2026-23672, 23673, 25175
Windows SMB Server | CVE-2026-26128
Microsoft Office Excel | CVE-2026-26107, 26108, 26112
Office core | CVE-2026-26110, 26113, 26134
Azure Entra ID | CVE-2026-26148
ASP.NET Core / .NET | CVE-2026-26130, 26127, 26131
Regular Patch Cycle
Lower-priority items include those marked Exploitation Unlikely and lower-scored local issues, such as:
Windows App Installer | CVE-2026-23656
Push Message Routing Service | CVE-2026-24282
Windows Device Association Service | CVE-2026-24296
Microsoft Authenticator | CVE-2026-26123
Azure Compute Gallery lower-severity entries
Miscellaneous local Windows component issues with reduced exploitability or narrower applicability
What IT and Security Teams Should Do Next
This release spreads meaningful risk across Windows systems, identity services, collaboration platforms, databases, and Azure workloads, which means teams need to move quickly and methodically.
1. Identify Where You’re Exposed
Start by mapping exposure across the systems that stand out most this month, including:
SQL Server
SharePoint
Windows RRAS
Active Directory Domain Services
Windows Print Spooler
System Center Operations Manager
Azure MCP Server
Other affected Azure and Windows infrastructure components
This helps teams focus first on the assets that create the greatest business and security risk if left unpatched.
2. Prioritize Exploitation More Likely Vulnerabilities
Even without confirmed in-the-wild exploitation, the vulnerabilities Microsoft marked as Exploitation More Likely should move to the front of the queue.
These issues affect broadly deployed Windows components and could become practical attack paths for privilege escalation, persistence, or lateral movement. That makes them important candidates for rapid validation and early deployment across both endpoints and servers.
3. Separate Customer-Patched Issues from Service-Side Fixes
For Azure-related vulnerabilities, confirm which fixes require action from your team and which are handled by Microsoft on the service side.
This step is especially important in hybrid and cloud-heavy environments, where patch ownership is not always obvious and assumptions can leave gaps in coverage.
4. Deploy in Waves, Then Expand Quickly
Rather than treating every March update the same, start with a first wave focused on:
internet-facing systems
identity infrastructure
collaboration platforms
database servers
highly exposed Windows assets
After that, validate and expand deployment to the broader set of high-priority vulnerabilities affecting common workloads and internal systems.
5. Use Risk-Based Staging, Not a Flat Patch Queue
A staged rollout based on business exposure, privilege level, and operational criticality will be more effective than pushing updates in a single undifferentiated batch.
For March, the goal is to reduce risk quickly across the most exposed parts of the environment, then complete broader patch coverage without slowing urgent remediation.
Republished and Non-Microsoft CVEs Also Noted
Microsoft’s March 2026 release also includes 10 republished non-Microsoft CVEs, but these should be treated as a secondary part of the overall Patch Tuesday story.
The most notable entries in this group are:
CVE-2026-26030 | Microsoft Semantic Kernel Python SDK
CVE-2026-3536 through CVE-2026-3545 | Microsoft Edge (Chromium-based)
For most IT teams, these republished items should not take priority over the higher-risk March vulnerabilities.
That said, organizations should still review whether any of these non-Microsoft or republished CVEs apply to their environment, especially if they rely on the affected developer tools, browser deployments, or related third-party software.
