Microsoft has released its monthly security update for March 2026, which includes 79 vulnerabilities. Of these, three are marked as ‘critical.’ The remaining vulnerabilities listed are classified as ‘important.’ According to Microsoft’s assessment, exploitation of the three critical vulnerabilities is considered “less likely.”
Three critical vulnerabilities affecting Microsoft Office and Excel include:
- CVE-2026-26110: A type confusion issue in Microsoft Office.
- CVE-2026-26113: An untrusted pointer dereference vulnerability in Microsoft Office.
- CVE-2026-26144: An information disclosure vulnerability affecting Microsoft Excel, due to improper neutralization of input. This has not been previously disclosed or exploited by attackers.
Important vulnerabilities include:
- CVE-2026-26109: An out-of-bounds read issue in Microsoft Office Excel that could enable code execution locally.
- CVE-2026-26106 and CVE-2026-26114: Remote code execution vulnerabilities affecting Microsoft SharePoint Server, due to improper input validation and deserialization of untrusted data, respectively.
- CVE-2026-21262: An elevation of privilege vulnerability in SQL Server with a CVSS v3.1 score of 8.8, caused by improper access control.
Cisco Talos also highlighted several important vulnerabilities:
- CVE-2026-23668: A Windows Graphics Component Elevation of Privilege Vulnerability,
- CVE-2026-24289: A Windows Kernel Elevation of Privilege Vulnerability,
- CVE-2026-24291: An elevation of privilege vulnerability in Windows Accessibility Infrastructure (ATBroker.exe),
- CVE-2026-24294: Another Windows SMB Server Elevation of Privilege Vulnerability,
- CVE-2026-25176 and CVE-2026-25187: Additional elevation of privilege vulnerabilities in Windows Ancillary Function Driver for WinSock and Winlogon, respectively.
A complete list of all other vulnerabilities can be found on Microsoft’s update page.