Microsoft and Adobe Patch Tuesday, March 2026 Security Update Review

Microsoft has rolled out its March 2026 Patch Tuesday updates, delivering a fresh batch of security fixes designed to keep Windows environments protected from emerging threats. The release addresses multiple vulnerabilities spanning Windows components and other Microsoft products. Here’s a quick breakdown of what you need to know.

Microsoft Patch Tuesday for March 2026

This month’s release addresses 93 vulnerabilities, including eight critical and 75 important severity vulnerabilities.

In this month’s updates, Microsoft has addressed two publicly disclosed zero-day vulnerabilities.

Microsoft addressed nine vulnerabilities in Microsoft Edge (Chromium-based) that were patched earlier this month.

Microsoft Patch Tuesday, March edition, includes updates for vulnerabilities in Microsoft Graphics Component, Windows Kerberos, Windows Kernel, Windows Hyper-V, SQL Server, Windows File Server, Windows App Installer, and more.

This month’s release includes fixes for several high-severity issues that could potentially enable remote code execution, privilege escalation, or denial-of-service attacks. As always, timely patch deployment is crucial to reduce exposure and ensure systems remain resilient against exploitation attempts.

The March 2026 Microsoft vulnerabilities are classified as follows:

Adobe Patches for March 2026

Adobe has released eight security advisories to address 80 vulnerabilities in Adobe Commerce, Adobe Illustrator, Substance 3D Painter, Adobe Acrobat Reader, Adobe Premiere Pro, Adobe Experience Manager, Substance 3D Stager, and Adobe DNG Software Development Kit (SDK). 21 of these vulnerabilities are given critical severity ratings. Successful exploitation of these vulnerabilities may lead to Privilege escalation, Security feature bypass, and arbitrary code execution.

Zero-day Vulnerabilities Patched in March Patch Tuesday Edition

CVE-2026-21262: SQL Server Elevation of Privilege Vulnerability 

SQL Server is Microsoft’s relational database management system (RDBMS) for storing, managing, and retrieving data in enterprise environments.

An improper access control flaw in SQL Server may allow an authenticated attacker to elevate their privileges across the network. Upon successful exploitation of the vulnerability, an attacker could gain SQL sysadmin privileges.

CVE-2026-26127: .NET Denial of Service Vulnerability

A .NET out-of-bounds read flaw could allow an unauthenticated attacker to launch a denial-of-service attack.

Critical Severity Vulnerabilities Patched in March Patch Tuesday Edition

CVE-2026-26113: Microsoft Office Remote Code Execution Vulnerability

An untrusted pointer dereference flaw in Microsoft Office could allow an unauthenticated attacker to achieve remote code execution.

CVE-2026-26110: Microsoft Office Remote Code Execution Vulnerability

A type confusion flaw in Microsoft Office could allow an unauthenticated attacker to achieve remote code execution.

CVE-2026-26144: Microsoft Excel Information Disclosure Vulnerability

An attacker who successfully exploited this vulnerability could potentially read portions of heap memory.

CVE-2026-26122: Microsoft ACI Confidential Containers Information Disclosure Vulnerability

Microsoft ACI (Azure Container Instances) Confidential Containers enable serverless deployment of containerized applications within a hardware-based Trusted Execution Environment (TEE) using AMD SEV-SNP technology. They protect data in use by encrypting memory and ensuring code integrity, preventing unauthorized access from cloud operators, privileged users, or malicious actors.

Initialization of a resource with an insecure default in Azure Compute Gallery could allow an authenticated attacker to disclose information over a network.

CVE-2026-26125: Payment Orchestrator Service Elevation of Privilege Vulnerability

A Payment Orchestrator Service is a software layer that centralizes and manages a business’s entire payment ecosystem—gateways, processors, and acquirers—via a single integration.

Microsoft has not provided any information about the vulnerability. The advisory states that the vulnerability has been fully mitigated.

CVE-2026-26124: Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability

Microsoft has not provided any information about the vulnerability. The advisory states that the vulnerability has been fully mitigated in the Azure Confidential ACI service. No service update, patch, reboot, or upgrade is required.

CVE-2026-21536: Microsoft Devices Pricing Program Remote Code Execution Vulnerability

The Microsoft Devices Pricing Program generally refers to specialized purchasing, education discounts, and licensing models for Microsoft hardware (like Surface) and software, designed to reduce costs for businesses, education, and individual users. These programs offer volume pricing, device-based licensing for Microsoft 365, and special discounts for students/teachers.

Microsoft has not provided any information about the vulnerability. The advisory states that Microsoft has fully mitigated the vulnerability. No action is required of users of this service.

CVE-2026-23651: Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability 

A permissive regular expression flaw in Azure Compute Gallery could allow an authenticated attacker to elevate local privileges.

Other Microsoft Vulnerability Highlights

• CVE-2026-23668 is an elevation-of-privilege vulnerability in the Windows Graphics Component. Upon successful exploitation of the vulnerability, an attacker could gain administrator privileges.
• CVE-2026-24289 and CVE-2026-26132 are elevation-of-privilege vulnerabilities in the Windows Kernel. A use-after-free flaw may allow an authenticated attacker to gain SYSTEM privileges.
• CVE-2026-24291 is an elevation-of-privilege vulnerability in the Windows Accessibility Infrastructure. Upon successful exploitation of the vulnerability, an authenticated attacker could gain SYSTEM privileges.
• CVE-2026-24294 is an elevation-of-privilege vulnerability in Windows SMB Server. Successful exploitation of the vulnerability may allow an authenticated attacker to gain SYSTEM privilege.
• CVE-2026-25187 is an elevation-of-privilege vulnerability in Winlogon. Upon successful exploitation of the vulnerability, an authenticated attacker could gain SYSTEM privileges.

Microsoft Release Summary

This month’s release notes cover multiple Microsoft product families and products/versions affected, including, but not limited to, System Center Operations Manager, Microsoft Devices Pricing Program, Azure Compute Gallery, GitHub Repo: zero-shot-scfoundation, Azure Portal Windows Admin Center, Azure IoT Explorer, Azure Linux Virtual Machines, Broadcast DVR, Windows Print Spooler Components, Windows Bluetooth RFCOM Protocol Driver, Windows Universal Disk Format File System Driver (UDFS), Windows Resilient File System (ReFS), Windows MapUrlToZone, Push Message Routing Service, Windows Win32K, Windows Mobile Broadband, Windows Projected File System, Windows Accessibility Infrastructure (ATBroker.exe), Connected Devices Platform Service (Cdpsvc), Windows Ancillary Function Driver for WinSock, Windows SMB Server, Windows Device Association Service, Windows Performance Counters, Windows System Image Manager, Microsoft Brokering File System, Windows Authentication Methods, Windows Routing and Remote Access Service (RRAS), Windows Extensible File Allocation, Windows NTFS, Active Directory Domain Services, Windows GDI+, Windows Shell Link Processing, Winlogon, Windows Telephony Service, Windows DWM Core Library, Windows GDI, Microsoft Office SharePoint, Microsoft Office Excel, Microsoft Office, Azure Windows Virtual Machine Agent, Azure MCP Server, Microsoft Authenticator, Payment Orchestrator Service, .NET, ASP.NET Core, Azure Arc, Azure Entra ID, Microsoft Semantic Kernel Python SDK, and Microsoft Edge (Chromium-based).

Qualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledgebase (KB).

You can see all your impacted hosts by these vulnerabilities using the following QQL query:

vulnerabilities.vulnerability: ( qid: 110520 or qid: 110521 or qid: 386757 or qid: 386758 or qid: 386764 or qid: 386765 or qid: 92364 or qid: 92365 or qid: 92366 or qid: 92367 )

Patch to the Latest Version

VMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the “Missing” patches to identify and deploy the applicable, available patches with one click.

The following QQL will return the missing patches for this Patch Tuesday:

( qid: 110520 or qid: 110521 or qid: 386757 or qid: 386758 or qid: 386764 or qid: 386765 or qid: 92364 or qid: 92365 or qid: 92366 or qid: 92367 )

The next Patch Tuesday is scheduled for April 14, and we will provide details and patch analysis at that time. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to the ‘This Month in Vulnerabilities and Patches’ webinar.’

Qualys Monthly Webinar Series

The Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys Vulnerability Management, Detection & Response (VMDR), and Qualys Patch Management. Combining these two solutions can reduce the median time to remediate critical vulnerabilities.

During the webcast, we will discuss this month’s high-impact vulnerabilities, including those highlighted in this month’s Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management.

Join the webinar

This Month in Vulnerabilities & Patches

Related