Virtual Administrator’s March 2026 Patch Recommendations

Patch Recommendations

All new patches will be approved in our patch policy.

 

March brings 83 security updates with 8 rated as “Critical” in severity.

Most of these critical vulnerabilities, 5 in total, have already been fixed by Microsoft and require no customer action to resolve. The remaining 3 critical vulnerabilities are in Microsoft Office: CVE-2026-26110, CVE-2026-26113, and CVE-2026-26144.

While some refer to CVE-2026-26127 and CVE-2026-21262 as zero-day vulnerabilities, both are publicly disclosed but not yet actively exploited. Microsoft rates them as “Important” severity.

  • CVE-2026-21262 could allow an attacker to elevate privileges over a network on SQL Server 2016 and later editions, potentially gaining SQL sysadmin privileges.
  • CVE-2026-26113 is a vulnerability in applications running on .NET which could trigger a denial of service through an out-of-bounds read.
  • CVE-2026-26113 and CVE-2026-26110 are both remote code execution flaws in Microsoft Office. The Preview Pane is an attack vector.
  • CVE-2026-26144 is an Excel Information Disclosure vulnerability.
  • New SSU for Windows Server 2012/2012R2.

 

Disclosed: CVE-2026-21262, CVE-2026-26127

Exploited: None

 

Security Update Guide

https://msrc.microsoft.com/update-guide/en-us

 

Microsoft Security Advisories

ADV990001 | Latest Servicing Stack Updates (Published:3/1/2018 | Last Updated:2/10/2026)

https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV990001

Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.

NOTE: The Windows 10 Security Stack Updates are included in the monthly Cumulative Updates.

 

Known Issues

No new known issues reported by Microsoft. We have listed the Out-of-band (OOB) fix from last week below.

Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.

March 2, 2026—KB5082314 (OS Build 20348.4776) Out-of-band

https://support.microsoft.com/en-us/topic/march-2-2026-kb5082314-os-build-20348-4776-out-of-band-606518e5-28d2-4ebe-be25-26287e2fc703

Windows Server 2022

This out-of-band (OOB) update includes quality improvements and a fix. This update is cumulative and includes security fixes and improvements from the February 10, 2026, security update (KB5075906).

Additionally, this out-of-band update addresses an issue affecting certificate renewal for Windows Hello for Business in certain Active Directory Federation Services (ADFS)–based deployments on Windows Server 2022.

Important: You should only apply this update to affected ADFS servers if they are using ADFS in combination with Windows Hello for Business. This fix is protected by Known Issue Rollback (KIR) and is disabled by default. Installing this update alone does not enable the fix. The KIR enablement Group Policy is provided only by Microsoft Support and is intended for customers who are confirmed to be affected by this issue.

 

Good resource for known issues with Windows 10/11/Server patches. Find the version and click on “Known issues”.

Windows release health

https://docs.microsoft.com/en-us/windows/release-health/

 

Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022,2025 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

 

Security and Quality Rollup

  • KB5078774 – Windows Server 2012 R2 (ESU)
  • KB5078775 – Windows Server 2012 (ESU)

 

Cumulative Updates

Windows 10

  • KB5078885 – Version 21H2 “November 2021 Update” (OS Build 19044) (ESU)
  • KB5078885 – Version 22H2 “November 2022 Update” (OS Build 19045) (ESU)

(Versions 1507,1511,1607,1703,1709,1803,1809,1903,1909,2004,20H2,21H1 are no longer under support)

 

Windows 11

  • KB5078883 – 23H2 (OS Build 22631)
  • KB5079473 – 24H2 (OS Build 26100)
  • KB5079473 – 25H2 (OS Build 26200)
  • KB5079466 – 26H1 (OS Build 28000)

(Version 21H2,22H2 are no longer under support)

 

Windows Server

  • KB5078938 – Server 2016 (EOS January 2027)
  • KB5078752 – Server 2019 (EOS January 2029)
  • KB5078766 – Server 2022 (OS Build 20348)
  • KB5078734 – Server 23H2 (OS Build 25398)
  • KB5078740 – Server 2025 (OS Build 26100)

 

March 2026 updates for Microsoft Office

https://support.microsoft.com/en-us/topic/march-2026-updates-for-microsoft-office-c8ddfa76-20b4-482a-8412-8b2bf6363fa7

 

Notable CVEs

 

CVE-2026-21262 | SQL Server Elevation of Privilege Vulnerability (KB5077465,KB5077466,KB5077469,KB5077470,KB5077471,KB5077472,KB5077473,KB5077474)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21262

Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network. An attacker who successfully exploited this vulnerability could gain SQL sysadmin privileges.

 

CVE-2026-26127 | .NET Denial of Service Vulnerability (KB5081276,KB5081278)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26127

Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network.

 

CVE-2026-26113 | Microsoft Office Remote Code Execution Vulnerability (Click to Run,KB5002845,KB5002847,KB5002848,KB5002850,KB5002851)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26113

Untrusted pointer dereference in Microsoft Office allows an unauthorized attacker to execute code locally.

 

CVE-2026-26110 | Microsoft Office Remote Code Execution Vulnerability (Click to Run,KB5002838)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26110

Access of resource using incompatible type (‘type confusion’) in Microsoft Office allows an unauthorized attacker to execute code locally.

 

CVE-2026-26144 | Microsoft Excel Information Disclosure Vulnerability (Click to Run)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26144

Improper neutralization of input during web page generation (‘cross-site scripting’) in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network.

NOTE: “The vulnerability documented by this CVE requires no customer action to resolve”

 

CVE-2026-26122 | Microsoft ACI Confidential Containers Information Disclosure Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26122

 

CVE-2026-26125 | Payment Orchestrator Service Elevation of Privilege Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26125

 

CVE-2026-26124 | Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26124

 

CVE-2026-21536 | Microsoft Devices Pricing Program Remote Code Execution Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21536

 

CVE-2026-23651 | Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23651

Latest Patch Updates

Third Party Updates 03-13-2026

Read More
Patch Recommendations

Virtual Administrator’s February 2026 Patch Recommendations

Read More

Third Party Updates 02-13-2026

Read More
Patch Recommendations

Virtual Administrator’s January 2026 Patch Recommendations

Read More

Third Party Updates 12-12-2025

Read More
Patch Recommendations

Virtual Administrator’s December 2025 Patch Recommendations

Read More