Full Report
Microsoft has released its monthly security update for March 2026 which includes 79 vulnerabilities, including three that Microsoft marked as “critical.”
Analysis Summary
# Vulnerability: Microsoft Patch Tuesday - March 2026 Monthly Security Update
## CVE Details
- **CVE ID:** CVE-2026-26110, CVE-2026-26113, CVE-2026-26144 (Critical); CVE-2026-21262, CVE-2026-26118, CVE-2026-26128 (Highlighted Important)
- **CVSS Score:** Up to 8.8 (High/Critical severity range)
- **CWE:** Included weaknesses: Type Confusion, Untrusted Pointer Dereference, Out-of-bounds Read, Deserialization of Untrusted Data, SSRF, and SQL Injection.
## Affected Systems
- **Products:** Microsoft Office (Excel), SharePoint Server, SQL Server, Azure MCP Server Tools, Windows SMB Server, Windows Kernel, Windows Graphics Component.
- **Versions:** Multiple versions across the Microsoft ecosystem (refer to MSRC for specific build numbers).
- **Configurations:**
- **SharePoint:** Requires authenticated attackers with Site Member permissions (PR:L).
- **Azure MCP:** Requires an MCP-backed agent accepting user-provided parameters.
## Vulnerability Description
This update addresses 79 vulnerabilities. Key technical flaws include:
- **Office RCE (CVE-2026-26110/113):** Type confusion and untrusted pointer dereference allowing local code execution via malicious documents.
- **SharePoint RCE (CVE-2026-26106/114):** Improper input validation and insecure deserialization allowing remote code execution.
- **Azure SSRF (CVE-2026-26118):** Server-Side Request Forgery in MCP Server Tools allows attackers to submit malicious URLs and capture managed identity tokens.
- **SMB Server (CVE-2026-26128):** Insecure authentication handling allowing escalation to SYSTEM privileges.
## Exploitation
- **Status:** **CVE-2026-21262** (SQL Server) has been **publicly disclosed**. No active exploitation in the wild reported at the time of release for the Critical flaws.
- **Complexity:** Generally Low to Medium.
- **Attack Vector:** Varies; Network (SharePoint, SQL, SMB, Azure) and Local (Office/Excel).
## Impact
- **Confidentiality:** High (Information disclosure in Excel; Token theft in Azure).
- **Integrity:** High (RCE in Office/SharePoint; Privilege escalation in SMB and Kernel).
- **Availability:** High (Potential for system compromise and denial of service across Windows components).
## Remediation
### Patches
- Microsoft has released cumulative updates and security-only updates for Windows and affected software. Users should apply the March 2026 security updates via **Windows Update** or the **Microsoft Update Catalog**.
### Workarounds
- **SharePoint:** Restrict "Site Member" permissions to trusted users only.
- **SMB:** Ensure SMB signing and encryption are enabled to mitigate relay/authentication-related risks where applicable.
- **Excel:** Block or inspect untrusted Office files from external sources.
## Detection
- **Network Discovery:** Utilize Cisco Snort rules to detect exploitation attempts:
- **Snort 2:** 66089 - 66092, 66096, 66097, 66101 - 66104.
- **Snort 3:** 301442 – 301446.
- **Azure Logs:** Monitor for unexpected outbound requests from Managed Identities to unrecognized external URLs.
- **SQL Server:** Audit logs for unusual SQL command elements or failed privilege escalation attempts.
## References
- **Microsoft Security Update Guide:** [https://msrc.microsoft.com/update-guide/]
- **Talos Intelligence Blog:** [https://blog.talosintelligence.com/microsoft-patch-tuesday-march-2026/]
- **Snort Rules:** [https://www.snort.org/]