Microsoft March 2026 Patch Tuesday Vulnerabilities Across SharePoint, Office/Excel, Windows Drivers, and GDI
Microsoft published security advisories for multiple Important and Critical vulnerabilities affecting SharePoint Server, Microsoft Office/Excel, Windows components, and GDI. The highest-impact server-side issue is CVE-2026-26114, a SharePoint Server remote code execution flaw attributed to CWE-502 (deserialization of untrusted data) with a CVSS v3.1 vector AV:N/AC:L/PR:L/UI:N (base score shown as 8.8), indicating network reachability with low complexity and requiring low privileges. Microsoft also disclosed CVE-2026-26105, a SharePoint Server spoofing issue mapped to CWE-79 (XSS) with AV:N/AC:L/PR:N/UI:R (base score shown as 8.1), implying remote exploitation that requires user interaction.
On the endpoint/application side, Microsoft listed several Office/Excel remote code execution vulnerabilities: CVE-2026-26109 (Excel RCE; CWE-125 out-of-bounds read; vector AV:L/AC:L/PR:N/UI:N, base score shown as 8.4), CVE-2026-26108 (Excel RCE; CWE-122 heap-based buffer overflow; AV:L/AC:L/PR:N/UI:R, base score shown as 7.8), and CVE-2026-26112 (Excel RCE; CWE-822 untrusted pointer dereference; AV:L/AC:L/PR:N/UI:R, base score shown as 7.8). Microsoft also published CVE-2026-26113, a Critical Microsoft Office RCE (also CWE-822) with AV:L/AC:L/PR:N/UI:N (base score shown as 8.4); one reference is a duplicate advisory page for the same CVE. Additional component advisories include CVE-2026-24288 (Windows Mobile Broadband Driver RCE; CWE-122; AV:P/AC:L/PR:N/UI:N, base score shown as 6.8, requiring physical access) and CVE-2026-25190 (GDI RCE; CWE-426 untrusted search path; AV:L/AC:L/PR:N/UI:R, base score shown as 7.8).
Timeline
Mar 10, 2026
Microsoft publishes March 2026 advisories for multiple RCE and spoofing flaws
Microsoft's Security Update Guide published advisories for several vulnerabilities affecting SharePoint Server, Excel, Microsoft Office, GDI, and the Windows Mobile Broadband Driver, including CVE-2026-26114, CVE-2026-26109, CVE-2026-26105, CVE-2026-26108, CVE-2026-24288, CVE-2026-25190, CVE-2026-26112, and CVE-2026-26113. The disclosures indicate security updates were made available for remote code execution and spoofing issues across these products.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
4 more from sources like msrc security advisories and msrc.microsoft.com
Related Stories
Microsoft fixes exploited SharePoint flaw in massive Patch Tuesday release
Microsoft released fixes for **165 vulnerabilities** across Windows, Office, SharePoint, Defender, SQL Server, Azure, .NET, and other products in one of its largest Patch Tuesday updates on record. The most urgent issue was **CVE-2026-32201**, an **actively exploited** improper input validation flaw in **SharePoint Server** that enables unauthenticated network-based spoofing and was immediately added to **CISA's Known Exploited Vulnerabilities** catalog. Microsoft also patched **CVE-2026-33825**, a publicly known **Microsoft Defender** privilege-escalation bug with proof-of-concept code, and **CVE-2026-33824**, a critical **remote code execution** flaw in **Windows IKE Service Extensions** affecting IPsec/VPN infrastructure. Researchers flagged **CVE-2026-33827** in **Windows TCP/IP** as potentially **wormable** under certain IPv6 and IPSec configurations. Other high-impact fixes include **CVE-2026-33120**, a **SQL Server remote code execution** flaw that paired with a separate privilege escalation bug (**CVE-2026-32176**) could enable full server compromise, and **CVE-2026-32220**, a **UEFI Secure Boot bypass** that could allow untrusted code to load during the boot process. The release also addressed elevation of privilege flaws across Desktop Window Manager, WinSock, TDI Translation Driver, Windows Push Notifications, Function Discovery Service, WSUS, Remote Desktop Licensing, Azure Monitor Agent, and Windows kernel components; security feature bypasses in Windows Hello, PowerShell, BitLocker, and Windows Shell; information disclosure bugs in Windows GDI, Print Spooler, Web Account Manager, UPnP Device Host, and the Windows kernel; and denial-of-service issues in .NET/Visual Studio and Windows RDBSS. Cumulative updates for Windows Server 2022 and 23H2 bundled security hardening for Kerberos, RDP, Secure Boot, and WDS, with Microsoft warning that Secure Boot certificates begin expiring in June 2026.
2 weeks ago
Microsoft Patches 163 Flaws Including Exploited SharePoint Bug and Defender Zero-Day
Microsoft released fixes for **163 vulnerabilities** in its April Patch Tuesday update, marking one of its largest security releases on record. The bundle includes **8 Critical** flaws, **154 Important** issues, and **1 Moderate** bug, with seven of the Critical vulnerabilities enabling remote code execution across products and components including **Windows TCP/IP**, **Windows IKE Service Extensions**, **Active Directory**, **Remote Desktop Client**, **Microsoft Office**, and **Microsoft Word**. Belgian authorities urged organizations to apply the updates immediately. The most urgent issues include **`CVE-2026-32201`**, an actively exploited **Microsoft SharePoint Server** vulnerability that was added to CISA’s Known Exploited Vulnerabilities catalog, and **`CVE-2026-33825`** in **Microsoft Defender**, a publicly disclosed zero-day tied to proof-of-concept code associated with the **BlueHammer** exploit. Microsoft also shipped Windows 11 cumulative updates with security hardening changes, including safer handling of **`.rdp`** files and improved visibility into **Secure Boot** certificates, while the broader patch set addressed numerous elevation-of-privilege and security feature bypass flaws that could support post-compromise escalation.
1 weeks ago
Microsoft February 2026 vulnerability disclosures across Windows, Azure, and developer tools
Microsoft published multiple security advisories for **Windows**, **Azure**, and **developer tooling**, including several high-impact issues spanning **remote code execution (RCE)**, **elevation of privilege (EoP)**, **spoofing**, **information disclosure**, **denial of service**, and **security feature bypass**. Notable items include **Azure SDK for Python RCE** `CVE-2026-21531` (CVSS 9.8; **deserialization of untrusted data**), **Windows Shell security feature bypass** `CVE-2026-21510` (CVSS 8.8; exploitability listed as **E:F**), **GitHub Copilot/Visual Studio/VS Code** issues enabling **RCE/EoP/feature bypass** (`CVE-2026-21256`, `CVE-2026-21523`, `CVE-2026-21257`, `CVE-2026-21518`), and **Azure Local RCE** `CVE-2026-21228` (CVSS 8.1; **improper certificate validation**). Additional Windows platform flaws include **Desktop Window Manager EoP** `CVE-2026-21519` (type confusion), **HTTP.sys EoP** `CVE-2026-21232` (untrusted pointer dereference), **WinSock Ancillary Function Driver EoP** `CVE-2026-21238` (improper access control), **Windows Storage EoP** `CVE-2026-21508`, **WSL EoP** `CVE-2026-21237`, **Microsoft Word security feature bypass** `CVE-2026-21514`, **Outlook spoofing** `CVE-2026-21511`, **Windows LDAP DoS** `CVE-2026-21243`, plus **ACI Confidential Containers information disclosure** `CVE-2026-23655` and **Azure IoT Explorer information disclosure** `CVE-2026-21528`. Separately, a detailed third-party writeup described a **Windows Error Reporting Service** local privilege escalation, `CVE-2026-20817`, patched in January 2026, where the **WER service** (`wersvc.dll`) running as `NT AUTHORITY\SYSTEM` allegedly fails to validate requester permissions over **ALPC**, enabling a standard user to trigger process creation with a SYSTEM-derived token (retaining powerful rights such as *SeDebugPrivilege*, *SeImpersonatePrivilege*, and *SeBackupPrivilege*). Another third-party report highlighted a long-standing **libpng** heap buffer issue, `CVE-2026-25646` (CVSS 8.3), in `png_set_quantize()` that can be triggered by a crafted PNG (palette present, histogram absent) leading to an infinite loop/out-of-bounds read with potential for DoS and, with heap grooming, possible code execution; an additional MSRC entry referenced **libjpeg-turbo** `CVE-2023-2804` (heap-based overflow) as an Important RCE-class issue. Collectively, the disclosures reinforce the need to prioritize patching for internet-reachable components and developer tooling, and to treat local EoP bugs as high-risk in post-compromise and lateral movement scenarios.
2 months ago