![Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/video-ATTCK2-1?wid=530&hei=349&fmt=png-alpha&qlt=95,0&resMode=sharp2&op_usm=3.0,0.3,2,0)
![Qatar’s Commercial Bank Chooses CrowdStrike Falcon®: A Partnership Based on Trust [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/Edward-Gonam-Qatar-Blog2-1?wid=530&hei=349&fmt=png-alpha&qlt=95,0&resMode=sharp2&op_usm=3.0,0.3,2,0)
Microsoft has addressed 82 vulnerabilities in its March 2026 security update release. These include two publicly disclosed vulnerabilities and eight Critical vulnerabilities.
This month's leading risk types by exploitation technique are elevation of privilege with 46 patches (56%), remote code execution (RCE) with 16 patches (20%), and information disclosure with 10 patches (12%).
Figure 1. Breakdown of March 2026 Patch Tuesday exploitation techniques
Figure 2. Breakdown of product families affected by March 2026 Patch Tuesday
CVE-2026-21536 is a Critical remote code execution vulnerability affecting Microsoft Devices Pricing Program and has a CVSS score of 9.8. This vulnerability enables unauthenticated remote attackers to execute arbitrary code by exploiting an unrestricted file upload weakness (CWE-434) in the Microsoft Devices Pricing Program, which fails to properly validate uploaded file types. The vulnerability requires no user interaction and has low attack complexity. Microsoft has proactively remediated this vulnerability within the cloud infrastructure without requiring any customer intervention. Microsoft Devices Pricing Program users are automatically protected with no patches or configuration changes necessary.
| Severity | CVSS Score | CVE | Description |
| Critical | 9.8 | CVE-2026-21536 | Microsoft Devices Pricing Program Remote Code Execution Vulnerability |
CVE-2026-26125 is a Critical elevation of privilege vulnerability affecting the Payment Orchestrator Service and has a CVSS score of 8.6. This vulnerability allows remote attackers with no privileges to gain elevated access through missing authentication for a critical function in the Payment Orchestrator Service. The vulnerability requires no user interaction and has low attack complexity with a changed scope that impacts confidentiality.
Microsoft has proactively remediated this vulnerability within the cloud infrastructure without requiring any customer intervention. This CVE is published for transparency as part of Microsoft's commitment to disclosing cloud service vulnerabilities. Payment Orchestrator Service users are automatically protected with no patches or configuration changes necessary.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.6 | CVE-2026-26125 | Payment Orchestrator Service Elevation of Privilege Vulnerability |
CVE-2026-26110 and CVE-2026-26113 are Critical remote code execution vulnerabilities in Microsoft Office, both with CVSS scores of 8.4. These vulnerabilities allow unauthenticated attackers to execute arbitrary code by exploiting untrusted pointer dereference and type confusion flaws in Microsoft Office components.
Exploitation requires no user interaction and can be triggered by sending specially crafted malicious files to the target user, with the preview pane serving as an attack vector for both vulnerabilities. In the most severe attack scenario, an attacker could send a specially crafted file that executes malicious code on the victim's machine simply through the preview pane, without requiring the victim to open the file.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.4 | CVE-2026-26110 | Microsoft Office Remote Code Execution Vulnerability |
| Critical | 8.4 | CVE-2026-26113 | Microsoft Office Remote Code Execution Vulnerability |
CVE-2026-26144 is a Critical information disclosure vulnerability affecting Microsoft Excel and has a CVSS score of 7.5. A cross-site scripting flaw in Microsoft Office Excel could allow remote attackers with no privileges to disclose sensitive information over a network through improper neutralization of input during web page generation. The vulnerability requires no user interaction and has low attack complexity. Successful exploitation could potentially cause Copilot Agent mode to exfiltrate data via unintended network egress, enabling a zero-click information disclosure attack with high confidentiality impact.
The Preview Pane is not an attack vector for this vulnerability. While no exploit code has been observed, Microsoft assesses exploitation as unlikely. An official fix is available for customers to deploy.
| Severity | CVSS Score | CVE | Description |
| Critical | 7.5 | CVE-2026-26144 | Microsoft Excel Information Disclosure Vulnerability |
CVE-2026-23651 and CVE-2026-26124 are Critical elevation of privilege vulnerabilities affecting Microsoft ACI Confidential Containers, and both have a CVSS score of 6.7. There is no evidence of exploitation in the wild.
A permissive regular expression flaw (CVE-2026-23651) and a path traversal flaw (CVE-2026-26124) in Azure Compute Gallery could both allow local attackers with high privileges to elevate their privileges within the affected ACI container's context. These vulnerabilities require no user interaction and have low attack complexity. Successful exploitation of these vulnerabilities could enable attackers to escape access boundaries and perform actions beyond their authorized privilege level. Microsoft assesses that exploitation is less likely and reports it has already fully mitigated these issues.
CVE-2026-26122 is a Critical information disclosure vulnerability affecting Microsoft ACI Confidential Containers and has a CVSS score of 6.5. There is no evidence of exploitation in the wild.
An insecure default initialization of a resource flaw in Azure Compute Gallery could allow remote attackers with low privileges to disclose sensitive information over a network. This vulnerability requires no user interaction and has low attack complexity, with potential for high confidentiality impact. In confidential container scenarios, successful exploitation could enable attackers to access information that should be protected within the environment. No public exploit code exists, and Microsoft assesses exploitation as less likely. Microsoft reports it has fully mitigated this vulnerability server-side within the Azure Confidential ACI service.
| Severity | CVSS Score | CVE | Description |
| Critical | 6.7 | CVE-2026-23651 | Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability |
| Critical | 6.7 | CVE-2026-26124 | Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability |
| Critical | 6.5 | CVE-2026-26122 | Microsoft ACI Confidential Containers Information Disclosure Vulnerability |
CVE-2026-21262 is an Important privilege escalation vulnerability affecting Microsoft SQL Server and has a CVSS score of 8.8. This vulnerability allows remote attackers with low privileges to gain SQL sysadmin privileges through an improper access control flaw. The vulnerability requires no user interaction and has low attack complexity. An attacker would need to log in to a vulnerable system before performing the privilege escalation. This vulnerability was publicly disclosed, though there is no evidence of exploitation. An official fix is available for customers to deploy.
| Severity | CVSS Score | CVE | Description |
| Important | 8.8 | CVE-2026-21262 | SQL Server Elevation of Privilege Vulnerability |
CVE-2026-26127 is an Important denial-of-service (DoS) vulnerability affecting Microsoft .NET and has a CVSS score of 7.5. This vulnerability allows a remote attacker to exploit an out-of-bounds read flaw to cause a DoS condition on affected systems. While this vulnerability had been publicly disclosed, there is no evidence of exploitation, and Microsoft assesses that exploitation is unlikely. An official fix is available for customers to deploy.
| Severity | CVSS Score | CVE | Description |
| Important | 7.5 | CVE-2026-26127 | .NET Denial of Service Vulnerability |
For a visual overview of the systems impacted by this month’s vulnerabilities, you can use our Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities.
As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.
Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization's methods for cybersecurity and improve your overall security posture.
The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.
Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.
