Overview
On March 11, NSFOCUS CERT detected that Microsoft released the March Security Update patch, which fixed 83 security issues involving widely used products such as Windows, Microsoft Office, Microsoft SQL Server, Azure, etc., including high-risk vulnerability types such as privilege escalation and remote code execution.
Among the vulnerabilities fixed by Microsoft’s monthly update this month, there are 8 critical vulnerabilities and 75 important vulnerabilities.
Please update the patch as soon as possible for protection. For a complete list of vulnerabilities, please refer to the appendix.
Reference link: https://msrc.microsoft.com/update-guide/releaseNote/2026-Mar
Key Vulnerabilities
Based on the product popularity and vulnerability importance, this update contains vulnerabilities with greater impact. Relevant users are requested to pay special attention:
Microsoft Office Remote Code Execution Vulnerability (CVE-2026-26110):
A remote code execution vulnerability exists in Microsoft Office. Due to type confusion issues in Microsoft Office, an unauthenticated attacker can access resources through incompatible data types, and the user preview pane will trigger arbitrary code execution. CVSS score 8.4.
Official announcement link:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26110
Microsoft Office Remote Code Execution Vulnerability (CVE-2026-26113):
A remote code execution vulnerability exists in Microsoft Office. Due to the untrusted pointer dereference problem that Microsoft Office is dealing with, an unauthenticated attacker can send a specially crafted malicious file to the user, which will cause arbitrary code execution after the user previews or clicks it. CVSS score 8.4.
Official announcement link:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26113
Microsoft Excel Information Disclosure Vulnerability (CVE-2026-26144):
There is an information disclosure vulnerability in Microsoft Excel. Because Microsoft Excel fails to correctly process the input data during the web page generation process, it leads to cross-site scripting attacks. Unauthenticated attackers can obtain sensitive information through the Copilot Agent mode. CVSS score 7.5.
Official announcement link:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26144
Windows Print Spooler Remote Code Execution Vulnerability (CVE-2026-23669):
Windows Print Spooler has a remote code execution vulnerability. Because Windows Print Spooler allows use-after-free reuse (use-after-free), an authenticated attacker can execute arbitrary code over the network. CVSS score 8.8.
Official announcement link:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23669
Windows SMB Server Privilege Escalation Vulnerability (CVE-2026-24294):
A privilege escalation vulnerability exists in Windows SMB Server, which allows an authenticated local attacker to elevate privileges to SYSTEM due to improper authentication issues in the Windows SMB server. CVSS score 7.8.
Official announcement link:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-24294
Windows Graphics Component Privilege Escalation Vulnerability (CVE-2026-23668):
A privilege escalation vulnerability exists in the Windows Graphics Component. Due to a flawed synchronization mechanism when using shared resources in Microsoft Graphics Component, an authenticated attacker can elevate privileges to SYSTEM through conditional competition. CVSS score 7.0.
Official announcement link:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23668
Scope of Impact
The following are the affected product versions of some key vulnerabilities. For the scope of products affected by other vulnerabilities, please refer to the official announcement link.
| Vulnerability Number | Affected product versions |
| CVE-2026-26110 | Microsoft Office for Android Microsoft Office 2016 (64-bit edition) Microsoft Office 2016 (32-bit edition) Microsoft Office LTSC for Mac 2024 Microsoft Office LTSC 2024 for 64-bit editions Microsoft Office LTSC 2024 for 32-bit editions Microsoft Office LTSC 2021 for 32-bit editions Microsoft Office LTSC 2021 for 64-bit editions Microsoft Office LTSC for Mac 2021 Microsoft 365 Apps for Enterprise for 64-bit Systems Microsoft 365 Apps for Enterprise for 32-bit Systems Microsoft Office 2019 for 64-bit editions Microsoft Office 2019 for 32-bit editions |
| CVE-2026-26113 | Microsoft Office 2016 (64-bit edition) Microsoft Office 2016 (32-bit edition) Microsoft Office LTSC for Mac 2024 Microsoft Office LTSC 2024 for 64-bit editions Microsoft Office LTSC 2024 for 32-bit editions Microsoft Office LTSC 2021 for 64-bit editions Microsoft Office LTSC for Mac 2021 Microsoft 365 Apps for Enterprise for 64-bit Systems Microsoft 365 Apps for Enterprise for 32-bit Systems Microsoft Office 2019 for 64-bit editions Microsoft Office 2019 for 32-bit editions Microsoft SharePoint Server 2019 Microsoft SharePoint Server Subscription Edition Microsoft SharePoint Enterprise Server 2016 |
| CVE-2026-26144 | Microsoft 365 Apps for Enterprise for 32-bit Systems Microsoft 365 Apps for Enterprise for 64-bit Systems |
| CVE-2026-23669 CVE-2026-24294 | Windows Server 2012 R2 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 (Server Core installation) Windows Server 2012 Windows Server 2016 (Server Core installation) Windows Server 2016 Windows 10 Version 1607 for x64-based Systems Windows 10 Version 1607 for 32-bit Systems Windows Server 2025 Windows 11 Version 24H2 for x64-based Systems Windows 11 Version 24H2 for ARM64-based Systems Windows Server 2022, 23H2 Edition (Server Core installation) Windows 11 Version 23H2 for x64-based Systems Windows 11 Version 23H2 for ARM64-based Systems Windows 11 Version 25H2 for x64-based Systems Windows 11 Version 25H2 for ARM64-based Systems Windows Server 2025 (Server Core installation) Windows 10 Version 22H2 for 32-bit Systems Windows 10 Version 22H2 for ARM64-based Systems Windows 10 Version 22H2 for x64-based Systems Windows 10 Version 21H2 for x64-based Systems Windows 10 Version 21H2 for ARM64-based Systems Windows 10 Version 21H2 for 32-bit Systems Windows Server 2022 (Server Core installation) Windows Server 2022 Windows Server 2019 (Server Core installation) Windows Server 2019 Windows 10 Version 1809 for x64-based Systems Windows 10 Version 1809 for 32-bit Systems Windows 11 version 26H1 for x64-based Systems Windows 11 Version 26H1 for ARM64-based Systems |
| CVE-2026-23668 | Windows Server 2012 R2 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 (Server Core installation) Windows Server 2012 Windows Server 2016 (Server Core installation) Windows Server 2016 Windows 10 Version 1607 for x64-based Systems Windows 10 Version 1607 for 32-bit Systems Windows Server 2022, 23H2 Edition (Server Core installation) Windows 11 Version 23H2 for x64-based Systems Windows 11 Version 23H2 for ARM64-based Systems Windows 10 Version 22H2 for 32-bit Systems Windows 10 Version 22H2 for ARM64-based Systems Windows 10 Version 22H2 for x64-based Systems Windows 10 Version 21H2 for x64-based Systems Windows 10 Version 21H2 for ARM64-based Systems Windows 10 Version 21H2 for 32-bit Systems Windows Server 2022 (Server Core installation) Windows Server 2022 Windows Server 2019 (Server Core installation) Windows Server 2019 Windows 10 Version 1809 for x64-based Systems Windows 10 Version 1809 for 32-bit Systems |
Mitigation
At present, Microsoft has officially released security patches to fix the above vulnerabilities for supported product versions. It is strongly recommended that affected users install patches as soon as possible for protection. The official download link:
https://msrc.microsoft.com/update-guide/releaseNote/2026-Mar
Note: Patch updates for Windows Update may fail due to network problems, computer environment problems, etc. After installing the patch, users should check whether the patch has been successfully updated in time.
Right-click the Windows icon, select “Settings (N)”, select “Update and Security”-“Windows Update”, view the prompt information on this page, or click “View Update History” to view the historical update status.
For updates that have not been successfully installed, you can click the update name to jump to the Microsoft official download page. It is recommended that users click the link on this page and go to the “Microsoft Update” website to download the independent program package and install it.
Appendix: Vulnerability List
| Affected products | CVE No. | Vulnerability Title | Severity |
|---|---|---|---|
| Microsoft Office | CVE-2026-26113 | Microsoft Office Remote Code Execution Vulnerability | Critical |
| Azure | CVE-2026-23651 | Microsoft ACI Confidential Containers Privilege Escalation Vulnerability | Critical |
| Device | CVE-2026-21536 | Microsoft Devices Pricing Program Remote Code Execution Vulnerability | Critical |
| Azure | CVE-2026-26124 | Microsoft ACI Confidential Containers Privilege Escalation Vulnerability | Critical |
| Other | CVE-2026-26125 | Payment Orchestrator Service privilege escalation vulnerability | Critical |
| Azure | CVE-2026-26122 | Microsoft ACI Confidential Containers Information Disclosure Vulnerability | Critical |
| Microsoft Office | CVE-2026-26110 | Microsoft Office Remote Code Execution Vulnerability | Critical |
| Microsoft Office | CVE-2026-26144 | Microsoft Excel Information Disclosure Vulnerability | Critical |
| Microsoft SQL Server | CVE-2026-21262 | SQL Server Privilege Escalation Vulnerability | Important |
| Azure | CVE-2026-23660 | Windows Admin Center in Azure Portal Privilege Escalation Vulnerability | Important |
| Azure | CVE-2026-23664 | Azure IoT Explorer information disclosure vulnerability | Important |
| Windows | CVE-2026-23667 | Broadcast DVR Privilege Escalation Vulnerability | Important |
| Windows | CVE-2026-23668 | Windows Graphics Component Escalation Vulnerability | Important |
| Windows | CVE-2026-23669 | Windows Print Spooler Remote Code Execution Vulnerability | Important |
| Windows | CVE-2026-23671 | Windows Bluetooth RFCOM Protocol Driver Escalation Vulnerability | Important |
| Windows | CVE-2026-23672 | Windows Universal Disk Format File System Driver (UDFS) Privilege Escalation Vulnerability | Important |
| Windows | CVE-2026-23673 | Windows Resilient File System (ReFS) Privilege Escalation Vulnerability | Important |
| Windows | CVE-2026-24282 | Push message Routing Service privilege escalation vulnerability | Important |
| Windows | CVE-2026-24283 | Multiple UNC Provider Kernel Driver privilege escalation vulnerability | Important |
| Microsoft Office,Windows | CVE-2026-24285 | Win32k Privilege Escalation Vulnerability | Important |
| Windows | CVE-2026-24287 | Windows Kernel privilege escalation vulnerability | Important |
| Windows | CVE-2026-24288 | Windows Mobile Broadband Driver Remote Code Execution Vulnerability | Important |
| Windows | CVE-2026-24289 | Windows Kernel privilege escalation vulnerability | Important |
| Windows | CVE-2026-24290 | Windows Projected File System Privilege Escalation Vulnerability | Important |
| Windows | CVE-2026-24291 | Windows Accessibility Infrastructure (ATBroker.exe) Privilege Escalation Vulnerability | Important |
| Windows | CVE-2026-24292 | Windows Connected Devices Platform Service privilege escalation vulnerability | Important |
| Windows | CVE-2026-24293 | Windows Ancillary Function Driver for WinSock Privilege Escalation Vulnerability | Important |
| Windows | CVE-2026-24294 | Windows SMB Server Privilege Escalation Vulnerability | Important |
| Windows | CVE-2026-24295 | Windows Device Association Service privilege escalation vulnerability | Important |
| Windows | CVE-2026-24296 | Windows Device Association Service privilege escalation vulnerability | Important |
| Windows | CVE-2026-24297 | Windows Kerberos security feature bypass vulnerability | Important |
| Windows | CVE-2026-25165 | Performance Counters for Windows privilege escalation vulnerabilities | Important |
| Windows | CVE-2026-25166 | Windows System Image Manager Assessment and Deployment Kit (ADK) Remote Code Execution Vulnerability | Important |
| Windows | CVE-2026-25167 | Microsoft Brokering File System Privilege Escalation Vulnerability | Important |
| Windows | CVE-2026-25168 | Windows Graphics Component Denial of Service Vulnerability | Important |
| Windows | CVE-2026-25169 | Windows Graphics Component Denial of Service Vulnerability | Important |
| Windows | CVE-2026-25170 | Windows Hyper-V privilege escalation vulnerability | Important |
| Windows | CVE-2026-25171 | Windows Authentication privilege escalation vulnerability | Important |
| Windows | CVE-2026-25172 | Windows Routing and Remote Access Service (RRAS) remote code execution vulnerability | Important |
| Windows | CVE-2026-25173 | Windows Routing and Remote Access Service (RRAS) remote code execution vulnerability | Important |
| Windows | CVE-2026-25174 | Windows Extensible File Allocation Table Privilege Escalation Vulnerability | Important |
| Windows | CVE-2026-25175 | Windows NTFS privilege escalation vulnerability | Important |
| Windows | CVE-2026-25176 | Windows Ancillary Function Driver for WinSock Privilege Escalation Vulnerability | Important |
| Windows | CVE-2026-25177 | Active Directory Domain Services privilege escalation vulnerability | Important |
| Windows | CVE-2026-25178 | Windows Ancillary Function Driver for WinSock Privilege Escalation Vulnerability | Important |
| Windows | CVE-2026-25179 | Windows Ancillary Function Driver for WinSock Privilege Escalation Vulnerability | Important |
| Microsoft Office,Windows | CVE-2026-25180 | Windows Graphics Component Information Disclosure Vulnerability | Important |
| Windows | CVE-2026-25181 | GDI+ information leakage vulnerability | Important |
| Windows | CVE-2026-25185 | Windows Shell Link Data Processing Spoofing Vulnerability | Important |
| Windows | CVE-2026-25186 | Windows Accessibility Infrastructure (ATBroker.exe) Information Disclosure Vulnerability | Important |
| Windows | CVE-2026-25187 | Winlogon Privilege Escalation Vulnerability | Important |
| Windows | CVE-2026-25188 | Windows Telephony Service privilege escalation vulnerability | Important |
| Windows | CVE-2026-25189 | Windows DWM Core Library privilege escalation vulnerability | Important |
| Windows | CVE-2026-25190 | GDI remote code execution vulnerability | Important |
| Microsoft Office | CVE-2026-26105 | Microsoft SharePoint Server Spoofing Vulnerability | Important |
| Windows | CVE-2026-26111 | Windows Routing and Remote Access Service (RRAS) remote code execution vulnerability | Important |
| Microsoft Office | CVE-2026-26112 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2026-26114 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important |
| Windows | CVE-2026-23656 | Windows App Installer spoofing vulnerability | Important |
| System Center | CVE-2026-20967 | System Center Operations Manager (SCOM) privilege escalation vulnerability | Important |
| Azure | CVE-2026-26121 | Azure IOT Explorer spoofing vulnerability | Important |
| Microsoft SQL Server | CVE-2026-26115 | SQL Server Privilege Escalation Vulnerability | Important |
| Microsoft SQL Server | CVE-2026-26116 | SQL Server Privilege Escalation Vulnerability | Important |
| Windows | CVE-2026-26128 | Windows SMB Server Privilege Escalation Vulnerability | Important |
| .NET 10.0 installed on Linux | CVE-2026-26131 | .NET privilege escalation vulnerability | Important |
| Windows | CVE-2026-26132 | Windows Kernel privilege escalation vulnerability | Important |
| Microsoft Office | CVE-2026-26134 | Microsoft Office privilege escalation vulnerability | Important |
| Microsoft.Bcl.Memory, .NET 9.0 installed on Windows, .NET 10.0 installed on Windows, .NET 9.0 installed on Mac OS, .NET 10.0 installed on Linux, .NET 10.0 installed on Mac OS, .NET 9.0 installed on Linux | CVE-2026-26127 | .NET Denial of Service Vulnerability | Important |
| Windows | CVE-2026-23674 | MapUrlToZone security feature bypass vulnerability | Important |
| Azure | CVE-2026-26148 | Microsoft Azure AD SSH Login extension for Linux privilege escalation vulnerability | Important |
| Open Source Software | CVE-2026-23654 | GitHub: Zero Shot SCFoundation Remote Code Execution Vulnerability | Important |
| Azure | CVE-2026-23661 | Azure IoT Explorer information disclosure vulnerability | Important |
| Azure | CVE-2026-23662 | Azure IoT Explorer information disclosure vulnerability | Important |
| Azure | CVE-2026-23665 | Linux Azure Diagnostic extension (LAD) privilege escalation vulnerability | Important |
| Microsoft Office | CVE-2026-26106 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2026-26107 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2026-26108 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2026-26109 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Azure | CVE-2026-26117 | Arc Enabled Servers-Azure Connected Machine Agent privilege escalation vulnerability | Important |
| Azure | CVE-2026-26118 | Azure MCP Server Tools privilege escalation vulnerability | Important |
| Apps | CVE-2026-26123 | Microsoft Authenticator Information Disclosure Vulnerability | Important |
| ASP.NET Core | CVE-2026-26130 | ASP.NET Core denial of service vulnerability | Important |
| Azure | CVE-2026-26141 | Hybrid Worker Extension (Arcenabled‑ Windows VMs) Privilege Escalation Vulnerability | Important |
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, a pioneering leader in cybersecurity, is dedicated to safeguarding telecommunications, Internet service providers, hosting providers, and enterprises from sophisticated cyberattacks.
Founded in 2000, NSFOCUS operates globally with over 4000 employees at two headquarters in Beijing, China, and Santa Clara, CA, USA, and over 50 offices worldwide. It has a proven track record of protecting over 25% of the Fortune Global 500 companies, including four of the five largest banks and six of the world’s top ten telecommunications companies.
Leveraging technical prowess and innovation, NSFOCUS delivers a comprehensive suite of security solutions, including the Intelligent Security Operations Platform (ISOP) for modern SOC, DDoS Protection, Continuous Threat Exposure Management (CTEM) Service and Web Application and API Protection (WAAP). All the solutions and services are augmented by the Security Large Language Model (SecLLM), ML, patented algorithms and other cutting-edge research achievements developed by NSFOCUS.
