Microsoft released security updates this week addressing 83 Common Vulnerabilities and Exposures (CVEs) across its product portfolio. Microsoft assesses that threat actors are more likely to target six of these vulnerabilities.
This release is larger than February's 63-patch update and contains a standard distribution of elevation of privilege (EoP) vulnerabilities, remote code execution (RCE) flaws, denial of service (DoS) issues, and information disclosure bugs. Security researchers note that organizations can process these updates through routine testing cycles without the need for emergency deployment.
The March release presents a manageable workload for system administrators. "I don’t see a lot of reasons for people to stress," stated Tyler Reguly, associate director of security R&D at Fortra. "The messaging this month should be, 'Apply your patches after you finish your testing cycles.' There’s nothing that requires rushing patches, nothing that requires panic…this is just a nice, quiet Patch Tuesday."
A relatively light month
Microsoft assigned a CVSS severity score of 9.8 to a single vulnerability in this month's release: CVE-2027-21536. This is an RCE vulnerability in the Microsoft Devices Pricing Program for channel partners and distributors. Microsoft has already remediated the issue on its end, requiring no further action from users.
Ben McCarthy, lead cyber security engineer at Immersive, noted this finding is notable for being one of the first known vulnerabilities identified by an AI agent to receive an official CVE. "Although Microsoft has already patched and mitigated the vulnerability, it highlights a shift toward AI-driven discovery of complex vulnerabilities at increasing speed," he said.
Eight vulnerabilities carry a critical severity rating. Two were publicly known prior to this week's update: CVE-2026-26127 (CVSS 7.5), a.NET denial of service vulnerability, and CVE-2026-21262 (CVSS 8.8), a SQL Server elevation of privilege flaw.
Both vulnerabilities were previously undisclosed prior to this release, but they present limited risk. "Their public disclosure prior to today is the only novel trait," stated Satnam Narang, senior staff research engineer at Tenable. "These bugs are more bark than bite. The DoS vulnerability is assessed as unlikely to be exploited and requires an attacker to be authorized beforehand, while the privilege escalation bug was deemed less likely to be exploited."
Elevation of privilege findings
EoP vulnerabilities represent the largest category in this month's update, accounting for 55.4% of the patched CVEs according to Tenable's analysis. RCE vulnerabilities accounted for 20.5% of the total.
Three of the EoP vulnerabilities affect the Windows kernel: CVE-2026-24289 (CVSS 7.8), CVE-2026-26132 (CVSS 7.8), and CVE-2026-24287 (CVSS 7.8). Microsoft notes that threat actors are more likely to target CVE-2026-24289 and CVE-2026-26132 because they feature low execution complexity and require no special privileges or user interaction.
Amol Sarwate, head of security research at Cohesity, recommends that administrators also prioritize two additional EoP vulnerabilities: CVE-2026-24294 (CVSS 7.8) in SMB Server and CVE-2026-23668 (CVSS 7.0) in the Microsoft Graphics Component. "Elevation of privilege is one of the attackers’ primary methods for gaining access to networks and maintaining dwell time," Sarwate said.
Remote code execution considerations
Security researchers identified two RCE vulnerabilities affecting Microsoft Office as noteworthy: CVE-2026-26113 (CVSS 8.4) and CVE-2026-26110 (CVSS 8.4). The Preview Pane serves as an access vector for both issues, meaning a system could be affected without the user opening an unsafe document or file.
"If the security update cannot be applied immediately, organizations should disable the Preview Pane in file explorers and restrict the opening of Office files from untrusted sources," advised Jack Bicer, director of vulnerability research at Action1. "Implementing email filtering, attachment scanning, and endpoint protection monitoring can also reduce the risk of malicious document delivery."
Two vulnerabilities in the Windows graphics APIs—CVE-2026-25190 (CVSS 7.8), an RCE in GDI, and CVE-2026-25181 (CVSS 7.5), an information disclosure in GDI+—are assessed by Microsoft as less likely to be targeted. However, if chained together, they enable a dual-stage sequence that could bypass Windows security features and execute arbitrary code.
Ryan Braunstein, security manager at Automox, noted the execution complexity of this chain. "The precision required to pull this off suggests nation-state-level investment, but the payoff matches: clean, reliable remote code execution on the target system," he said.
Original reporting by Jai Vijayan, a technology reporter with over 20 years of experience in IT trade journalism, including roles as a Senior Editor at Computerworld covering information security, data privacy, and data analytics. He holds a master's degree in Statistics.