⚡ TL;DR | Go Straight to the March 2026 Patch Tuesday Audit Report
Patch Tuesday is once again upon us. As always, our team has put together the monthly Patch Tuesday Report to help you manage your update progress. The audit report gives you a quick and clear overview of your Windows machines and their patching status. The March 2026 edition of Patch Tuesday brings us 88 fixes, with 3 rated as critical. We’ve listed the most important changes below.
Microsoft Excel Information Disclosure Vulnerability
CVE-2026-26144 is a critical information disclosure flaw in Microsoft Excel caused by improper input neutralization during web page generation. An unauthenticated attacker could exploit this issue over the network without requiring user interaction to expose sensitive information, potentially by abusing Copilot Agent mode to trigger unintended outbound data exfiltration in a zero-click scenario.
Microsoft notes that the Preview Pane is not a valid attack path, and exploitation is currently considered unlikely, with no evidence of public disclosure or active abuse at the time of release.
Microsoft Office Remote Code Execution Vulnerability
The last two critical vulnerabilites this month are both in Microsoft Office. CVE-2026-26113 and CVE-2026-26110, both describe critical remote code execution risks that could allow unauthorized code to run locally on an affected system.
CVE-2026-26113 stems from an untrusted pointer dereference, while CVE-2026-26110 is caused by a type confusion issue involving incompatible resource handling. In both cases, Microsoft rates the attack complexity as low, requires no privileges or user interaction, and notes that the Preview Pane can serve as an attack vector. Although these flaws are labeled as remote code execution, Microsoft clarifies that the exploitation itself occurs locally on the device, meaning code must ultimately be triggered from the local machine.
Neither vulnerability was publicly disclosed or observed in active attacks at release, and exploitation is currently assessed as less likely, but affected organizations should still install all applicable security updates for impacted Office products.
Windows Kernel Elevation of Privilege Vulnerability
Last but not least are two of the more concerning Windows flaws addressed this month, CVE-2026-26132 and CVE-2026-24289, both elevation of privilege vulnerabilities in the Windows Kernel caused by a use-after-free condition. In each case, an attacker with low privileges could exploit the issue locally without user interaction to gain higher-level access on the system.
Microsoft rates both vulnerabilities as more likely to be exploited, which makes them especially notable for defenders, since kernel-level privilege escalation bugs are often used to turn a limited compromise into full control of a device.
While CVE-2026-26132 could allow an attacker to obtain administrator privileges, CVE-2026-24289 is even more severe in outcome, as successful exploitation could result in SYSTEM-level access.
Run the Patch Tuesday March 2026 Audit
To help manage your update progress, we’ve created the Patch Tuesday Audit that checks if the assets in your network are on the latest patch updates. The report has been color-coded to see which machines are up-to-date and which ones still need to be updated. As always, system administrators are urged to update their environment as soon as possible to ensure all endpoints are secured.
The Lansweeper Patch Tuesday report is automatically added to your Lansweeper Site. Lansweeper Sites is included in all our licenses without any additional cost and allows you to federate all your installations into one single view so all you need to do is look at one report, automatically added every patch Tuesday!
Patch Tuesday March 2026 CVE Codes & Titles
| CVE Number | CVE Title |
| CVE-2026-26148 | Microsoft Azure AD SSH Login extension for Linux Elevation of Privilege Vulnerability |
| CVE-2026-26144 | Microsoft Excel Information Disclosure Vulnerability |
| CVE-2026-26141 | Hybrid Worker Extension (Arc‑enabled Windows VMs) Elevation of Privilege Vulnerability |
| CVE-2026-26134 | Microsoft Office Elevation of Privilege Vulnerability |
| CVE-2026-26132 | Windows Kernel Elevation of Privilege Vulnerability |
| CVE-2026-26131 | .NET Elevation of Privilege Vulnerability |
| CVE-2026-26130 | ASP.NET Core Denial of Service Vulnerability |
| CVE-2026-26128 | Windows SMB Server Elevation of Privilege Vulnerability |
| CVE-2026-26127 | .NET Denial of Service Vulnerability |
| CVE-2026-26123 | Microsoft Authenticator Information Disclosure Vulnerability |
| CVE-2026-26121 | Azure IOT Explorer Spoofing Vulnerability |
| CVE-2026-26118 | Azure MCP Server Tools Elevation of Privilege Vulnerability |
| CVE-2026-26117 | Arc Enabled Servers – Azure Connected Machine Agent Elevation of Privilege Vulnerability |
| CVE-2026-26116 | SQL Server Elevation of Privilege Vulnerability |
| CVE-2026-26115 | SQL Server Elevation of Privilege Vulnerability |
| CVE-2026-26114 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
| CVE-2026-26113 | Microsoft Office Remote Code Execution Vulnerability |
| CVE-2026-26112 | Microsoft Excel Remote Code Execution Vulnerability |
| CVE-2026-26111 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| CVE-2026-26110 | Microsoft Office Remote Code Execution Vulnerability |
| CVE-2026-26109 | Microsoft Excel Remote Code Execution Vulnerability |
| CVE-2026-26108 | Microsoft Excel Remote Code Execution Vulnerability |
| CVE-2026-26107 | Microsoft Excel Remote Code Execution Vulnerability |
| CVE-2026-26106 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
| CVE-2026-26105 | Microsoft SharePoint Server Spoofing Vulnerability |
| CVE-2026-25190 | GDI Remote Code Execution Vulnerability |
| CVE-2026-25189 | Windows DWM Core Library Elevation of Privilege Vulnerability |
| CVE-2026-25188 | Windows Telephony Service Elevation of Privilege Vulnerability |
| CVE-2026-25187 | Winlogon Elevation of Privilege Vulnerability |
| CVE-2026-25186 | Windows Accessibility Infrastructure (ATBroker.exe) Information Disclosure Vulnerability |
| CVE-2026-25185 | Windows Shell Link Processing Spoofing Vulnerability |
| CVE-2026-25181 | GDI+ Information Disclosure Vulnerability |
| CVE-2026-25180 | Windows Graphics Component Information Disclosure Vulnerability |
| CVE-2026-25179 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| CVE-2026-25178 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| CVE-2026-25177 | Active Directory Domain Services Elevation of Privilege Vulnerability |
| CVE-2026-25176 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| CVE-2026-25175 | Windows NTFS Elevation of Privilege Vulnerability |
| CVE-2026-25174 | Windows Extensible File Allocation Table Elevation of Privilege Vulnerability |
| CVE-2026-25173 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| CVE-2026-25172 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| CVE-2026-25171 | Windows Authentication Elevation of Privilege Vulnerability |
| CVE-2026-25170 | Windows Hyper-V Elevation of Privilege Vulnerability |
| CVE-2026-25169 | Windows Graphics Component Denial of Service Vulnerability |
| CVE-2026-25168 | Windows Graphics Component Denial of Service Vulnerability |
| CVE-2026-25167 | Microsoft Brokering File System Elevation of Privilege Vulnerability |
| CVE-2026-25166 | Windows System Image Manager Assessment and Deployment Kit (ADK) Remote Code Execution Vulnerability |
| CVE-2026-25165 | Performance Counters for Windows Elevation of Privilege Vulnerability |
| CVE-2026-24297 | Windows Kerberos Security Feature Bypass Vulnerability |
| CVE-2026-24296 | Windows Device Association Service Elevation of Privilege Vulnerability |
| CVE-2026-24295 | Windows Device Association Service Elevation of Privilege Vulnerability |
| CVE-2026-24294 | Windows SMB Server Elevation of Privilege Vulnerability |
| CVE-2026-24293 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| CVE-2026-24292 | Windows Connected Devices Platform Service Elevation of Privilege Vulnerability |
| CVE-2026-24291 | Windows Accessibility Infrastructure (ATBroker.exe) Elevation of Privilege Vulnerability |
| CVE-2026-24290 | Windows Projected File System Elevation of Privilege Vulnerability |
| CVE-2026-24289 | Windows Kernel Elevation of Privilege Vulnerability |
| CVE-2026-24288 | Windows Mobile Broadband Driver Remote Code Execution Vulnerability |
| CVE-2026-24287 | Windows Kernel Elevation of Privilege Vulnerability |
| CVE-2026-24285 | Win32k Elevation of Privilege Vulnerability |
| CVE-2026-24283 | Multiple UNC Provider Kernel Driver Elevation of Privilege Vulnerability |
| CVE-2026-24282 | Push message Routing Service Elevation of Privilege Vulnerability |
| CVE-2026-23674 | MapUrlToZone Security Feature Bypass Vulnerability |
| CVE-2026-23673 | Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability |
| CVE-2026-23672 | Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability |
| CVE-2026-23671 | Windows Bluetooth RFCOM Protocol Driver Elevation of Privilege Vulnerability |
| CVE-2026-23669 | Windows Print Spooler Remote Code Execution Vulnerability |
| CVE-2026-23668 | Windows Graphics Component Elevation of Privilege Vulnerability |
| CVE-2026-23667 | Broadcast DVR Elevation of Privilege Vulnerability |
| CVE-2026-23665 | Linux Azure Diagnostic extension (LAD) Elevation of Privilege Vulnerability |
| CVE-2026-23664 | Azure IoT Explorer Information Disclosure Vulnerability |
| CVE-2026-23662 | Azure IoT Explorer Information Disclosure Vulnerability |
| CVE-2026-23661 | Azure IoT Explorer Information Disclosure Vulnerability |
| CVE-2026-23660 | Windows Admin Center in Azure Portal Elevation of Privilege Vulnerability |
| CVE-2026-23656 | Windows App Installer Spoofing Vulnerability |
| CVE-2026-23654 | GitHub: Zero Shot SCFoundation Remote Code Execution Vulnerability |
| CVE-2026-21262 | SQL Server Elevation of Privilege Vulnerability |
| CVE-2026-20967 | System Center Operations Manager (SCOM) Elevation of Privilege Vulnerability |
| CVE-2026-3494 | MariaDB Server Audit Plugin Comment Handling Bypass |
| CVE-2026-28422 | Vim has stack-buffer-overflow in build_stl_str_hl() |
| CVE-2026-28421 | Vim has a heap-buffer-overflow and a segmentation fault |
| CVE-2026-28420 | Vim has Heap-based Buffer Overflow and OOB Read in :terminal |
| CVE-2026-28419 | Vim has Heap-based Buffer Underflow in Emacs tags parsing |
| CVE-2026-28418 | Vim has Heap-based Buffer Overflow in Emacs tags parsing |
| CVE-2026-28417 | Vim has OS Command Injection in netrw |
| CVE-2026-26030 | GitHub: CVE-2026-26030 Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerable |
| CVE-2025-14524 | bearer token leak on cross-protocol redirect |
| CVE-2025-10966 | missing SFTP host verification with wolfSSH |