Microsoft Patch Tuesday: Critical Office & Excel Flaws Patched – March 2026 Updates

by Anika Shah - Technology
0 comments

Microsoft’s March 2026 Patch Tuesday: Office Flaws and AI-Discovered Vulnerability

Microsoft’s March 2026 Patch Tuesday has arrived, bringing fixes for 84 vulnerabilities across its software suite, including Windows, Office, and SQL Server. While no actively exploited zero-day vulnerabilities were reported this month, two publicly disclosed flaws and a critical bug discovered by AI demand attention from IT professionals.

Office Preview Pane Vulnerabilities

Two critical vulnerabilities (CVE-2026-26113 and CVE-2026-26110) in Microsoft Office allow attackers to execute malicious code simply by a user viewing a booby-trapped document in the Preview Pane. This means a user doesn’t even need to open the file to be compromised.

Jack Bicer, Director of Vulnerability Research at Action1, emphasized the severity of this issue, stating that the Preview Pane serves as an attack vector, enabling code execution through a simple document preview. [1] Mike Walters, president and co-founder of Action1, warned that a single memory handling mistake within Office can turn an ordinary document into a potential system takeover. [1]

Excel and AI-Related Risks

A vulnerability (CVE-2026-26144) in Microsoft Excel, specifically its Copilot Agent mode, could allow attackers to leak sensitive data across a network. This “information disclosure” flaw could silently extract confidential information from internal systems without triggering alerts. [1]

Publicly Disclosed Vulnerabilities

Two vulnerabilities were publicly disclosed this month, meaning the technical details for exploiting them are already available:

  • CVE-2026-21262: An elevation of privilege vulnerability in Microsoft SQL Server (CVSS score 8.8) allows an attacker with basic access to gain sysadmin privileges. [1] [2]
  • CVE-2026-26127: A denial-of-service vulnerability in the .NET framework (CVSS score 7.5) could allow attackers to crash applications. [2]

AI-Discovered Critical Vulnerability

A critical vulnerability (CVE-2026-21536, CVSS score 9.8) in the Microsoft Devices Pricing Program was discovered by XBOW, an AI-powered autonomous vulnerability discovery platform. Microsoft has already mitigated this vulnerability, but it demonstrates the growing role of AI in identifying software flaws. [2]

Patching Guidance

Microsoft released 84 security updates this month, including eight rated Critical and 76 rated Essential. [2] IT teams should prioritize applying these updates. As a temporary measure, disabling the Preview Pane in File Explorer can help mitigate the risk from the Office vulnerabilities. [1]

As Satnam Narang, senior staff research engineer at Tenable, noted, over half (55%) of the CVEs this month address privilege escalation bugs, with six rated “exploitation more likely.” [2]

Related Posts

Leave a Comment