Microsoft’s March 2026 update fixes 80+ security vulnerabilities
Yesterday was Patch Tuesday for March, with Microsoft releasing security updates that addressed 84 security vulnerabilities. In addition to Windows and Office, Microsoft’s cloud services were also affected. So far, none of the vulnerabilities have been exploited for attacks in the wild. Microsoft classifies eight of them as critical; the rest are high risk.
The next Patch Tuesday is scheduled for April 14th, 2026.
Microsoft Office security fixes
Microsoft has fixed 13 vulnerabilities in its Office family, three of which are classified as critical. These include the CVE-2026-26144 data leak in Excel. This XSS (cross-site scripting) vulnerability could be exploited by an attacker to extract information using the Copilot agent.
CVE-2026-26110 and CVE-2026-26113, on the other hand, are RCE (remote code execution) vulnerabilities that can be used to inject and execute malicious code. Here, the preview window is an attack vector—you don’t even need to open an Office file to enable a successful attack.
The other RCE vulnerabilities in Excel can’t be exploited via the preview window, nor can the two RCE vulnerabilities in SharePoint.
Windows security fixes
A large number of the vulnerabilities—48 this time—are spread across the various Windows versions (10, 11, and Server) for which Microsoft still supports with security updates.
Windows 10 continues to be listed as an affected system, even though support officially expired in October. This was not the case with Windows 7, despite the ESU (Extended Security Updates) program.
PrintNightmare reloaded?!
The RCE vulnerability CVE-2026-23669 in the Windows print queue reminds experts of the “PrintNightmare” exploit from July 2021 because it works in a very similar way: a privileged attacker sends special messages over the network to vulnerable systems to inject and execute malicious code without user assistance. However, no attacks in the wild on this vulnerability are known to date.
Three RCE vulnerabilities in Windows Routing and Remote Access Service (RRAS) achieve a CVSS score of 8.0 to 8.8. Meanwhile, four EoP (Elevation of Privilege) vulnerabilities in the Winsock add-on driver score between CVSS 7 and 7.8.
Tip: Whether you keep your operating system up to date, you should maximize the security of your PC with reputable antivirus software. For options, check out our picks for the best Windows antivirus software. If you value privacy, also check out the best VPN providers.
Zero-day Microsoft vulnerabilities
Security vulnerabilities that aren’t actively being exploited but are already known before an update is released are also considered zero-day vulnerabilities. There are two of this type this time: CVE-2026-26127 is a DoS (denial of service) vulnerability in .NET and CVE-2026-21262 is an EoP vulnerability in SQL Server (CVSS 8.8).
Microsoft Edge security fixes
The latest security update for Edge 145.0.3800.97 is dated March 6th and is based on Chromium 145.0.7632.160. It fixes 10 Chromium vulnerabilities. However, Google has since released Chrome and Chromium 146, and a corresponding Edge update is expected to be released at the end of this week.
Further reading: Don’t get hacked! 10 vital security tweaks