March 2026 Patch Tuesday: Updates and Analysis | CrowdStrike BLOG Featured Now Live: The CrowdStrike 2026 Financial Services Threat Landscape Report May 14, 2026 Falcon AIDR Detects Threats at the Prompt Layer in Kubernetes AI Applications May 13, 2026 May 2026 Patch Tuesday: 30 Critical Vulnerabilities Among 130 CVEs May 12, 2026 Inside CrowdStrike Automated Leads: A Transformative Approach to Threat Detections May 11, 2026 Recent Video Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019 Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VIDEO] Feb 21, 2019 Analyzing Targeted Intrusions Through the ATT&CK Framework Lens [VIDEO] Jan 22, 2019 Qatar’s Commercial Bank Chooses CrowdStrike Falcon®: A Partnership Based on Trust [VIDEO] Aug 20, 2018 Category Agentic SOC How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem 03/25/26 CrowdStrike Services and Agentic MDR Put the Agentic SOC in Reach 03/24/26 4 Ways Businesses Use CrowdStrike Charlotte AI to Transform Security Operations 03/12/26 Inside the Human-AI Feedback Loop Powering CrowdStrike’s Agentic Security 02/10/26 Cloud & Application Security 05/13/26 CrowdStrike Named a Leader in Frost & Sullivan 2026 Radar for Cloud-Native Application Protection Platforms 04/27/26 CrowdStrike Expands Real-Time Cloud Detection and Response to Google Cloud 04/22/26 CrowdStrike Falcon Cloud Security Delivered 264% ROI Through Unified Cloud Protection Threat Hunting & Intel 05/14/26 CrowdStrike Named a Leader in the First-Ever Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies 05/06/26 CrowdStrike Launches Falcon OverWatch for Defender 05/05/26 Tune In: The Future of AI-Powered Vulnerability Discovery 05/01/26 Endpoint Security & XDR 05/11/26 CrowdStrike Falcon Platform Achieves 441% ROI in Three Years 04/21/26 Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management 04/01/26 Enhanced Network Visibility: A Dive into the Falcon macOS Sensor's New Capabilities 03/11/26 Engineering & Tech EMBER2024: Advancing the Training of Cybersecurity ML Models Against Evasive Malware 09/03/25 Falcon Platform Prevents COOKIE SPIDER’s SHAMOS Delivery on macOS 08/20/25 CrowdStrike’s Approach to Better Machine Learning Evaluation Using Strategic Data Splitting 08/11/25 CrowdStrike Researchers Develop Custom XGBoost Objective to Improve ML Model Release Stability 03/20/25 Executive Viewpoint Frontier AI Is Collapsing the Exploit Window.
Here’s How Defenders Must Respond. 04/20/26 Frontier AI for Defenders: CrowdStrike and OpenAI TAC 04/16/26 Anthropic Claude Mythos Preview: The More Capable AI Becomes, the More Security It Needs 04/06/26 The Architecture of Agentic Defense: Inside the Falcon Platform 01/16/26 From The Front Lines CrowdStrike Technical Risk Assessments Reveal Common Exposure Patterns 05/04/26 Introducing the CrowdStrike Shadow AI Visibility Service CrowdStrike Flex for Services Expands Access to Elite Security Expertise From Scanner to Stealer: Inside the trivy-action Supply Chain Compromise 03/20/26 Next-Gen Identity Security Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse 03/31/26 CrowdStrike FalconID Brings Phishing-Resistant MFA to Falcon Next-Gen Identity Security 02/26/26 CrowdStrike Named a Customers’ Choice in 2026 Gartner® Peer Insights™ Voice of the Customer for User Authentication 02/12/26 CrowdStrike to Acquire Seraphic to Secure Work in Any Browser 01/13/26 Next-Gen SIEM & Log Management Falcon Next-Gen SIEM Supports Third-Party EDR Tools, Starting with Microsoft Defender 03/23/26 Falcon Next-Gen SIEM Simplifies Onboarding with Sensor-Native Log Collection 03/06/26 Exposing Insider Threats through Data Protection, Identity, and HR Context 02/18/26 How to Scale SOC Automation with Falcon Fusion SOAR 02/11/26 Public Sector CrowdStrike Innovates to Modernize National Security and Protect Critical Systems 03/18/26 Falcon Platform for Government Now Offers Falcon for XIoT to Secure Connected Assets CrowdStrike Achieves FedRAMP® High Authorization 03/19/25 NHS Matures Healthcare Cybersecurity with NCSC’s CAF Assurance Model 03/13/25 Exposure Management 05/12/26 April 2026 Patch Tuesday: Two Zero-Days and Eight Critical Vulnerabilities Among 164 CVEs 04/14/26 How CrowdStrike Is Accelerating Exposure Evaluation as Adversaries Gain Speed 04/05/26 March 2026 Patch Tuesday: Eight Critical Vulnerabilities and Two Publicly Disclosed Among 82 CVEs Patched 03/10/26 Securing AI CrowdStrike Expands ChatGPT Enterprise Integration with Enhanced Audit Logging and Activity Monitoring 04/28/26 New CrowdStrike Innovations Secure AI Agents and Govern Shadow AI Across Endpoints, SaaS, and Cloud Secure Homegrown AI Agents with CrowdStrike Falcon AIDR and NVIDIA NeMo Guardrails 03/19/26 Introducing "AI Unlocked: Decoding Prompt Injection," a New Interactive Challenge Data Security Falcon Data Security Secures Data Wherever It Lives and Moves Falcon Data Protection for Cloud Extends DSPM into Runtime 11/20/25 CrowdStrike Stops GenAI Data Leaks with Unified Data Protection 09/18/25 Q&A: How Mastronardi Produce Secures Innovation with CrowdStrike 02/14/25 Start Free Trial March 10, 2026 Falcon Exposure Management Team Microsoft has addressed 82 vulnerabilities in its March 2026 security update release.
These include two publicly disclosed vulnerabilities and eight Critical vulnerabilities. March 2026 Risk Analysis This month's leading risk types by exploitation technique are elevation of privilege with 46 patches (56%), remote code execution (RCE) with 16 patches (20%), and information disclosure with 10 patches (12%). Figure 1. Breakdown of March 2026 Patch Tuesday exploitation techniques Microsoft Windows received the most patches this month with 48, followed by Azure with 13.
Figure 2. Breakdown of product families affected by March 2026 Patch Tuesday Critical Vulnerability in Microsoft Devices Pricing Program CVE-2026-21536 is a Critical remote code execution vulnerability affecting Microsoft Devices Pricing Program and has a CVSS score of 9.8 . This vulnerability enables unauthenticated remote attackers to execute arbitrary code by exploiting an unrestricted file upload weakness (CWE-434) in the Microsoft Devices Pricing Program, which fails to properly validate uploaded file types.
The vulnerability requires no user interaction and has low attack complexity. Microsoft has proactively remediated this vulnerability within the cloud infrastructure without requiring any customer intervention. Microsoft Devices Pricing Program users are automatically protected with no patches or configuration changes necessary. Table 1. Critical vulnerability in Microsoft Devices Pricing Program Severity CVSS Score CVE Description Critical 9.8 CVE-2026-21536 Microsoft Devices Pricing Program Remote Code Execution Vulnerability Critical Vulnerability in Payment Orchestrator Service CVE-2026-26125 elevation of privilege vulnerability affecting the Payment Orchestrator Service and has a 8.6 .
This vulnerability allows remote attackers with no privileges to gain elevated access through missing authentication for a critical function in the Payment Orchestrator Service. The vulnerability requires no user interaction and has low attack complexity with a changed scope that impacts confidentiality. Microsoft has proactively remediated this vulnerability within the cloud infrastructure without requiring any customer intervention.
This CVE is published for transparency as part of Microsoft's commitment to disclosing cloud service vulnerabilities. Payment Orchestrator Service users are automatically protected with no patches or configuration changes necessary. Table 2. Critical vulnerability in Payment Orchestrator Service Severity CVSS Score CVE Description Critical 8.6 CVE-2026-26125 Payment Orchestrator Service Elevation of Privilege Vulnerability Critical Vulnerabilities in Microsoft Office CVE-2026-26110 CVE-2026-26113 remote code execution vulnerabilities in Microsoft Office, both with scores of 8.4 .
These vulnerabilities allow unauthenticated attackers to execute arbitrary code by exploiting untrusted pointer dereference and type confusion flaws in Microsoft Office components. Exploitation requires no user interaction and can be triggered by sending specially crafted malicious files to the target user, with the preview pane serving as an attack vector for both vulnerabilities. In the most severe attack scenario, an attacker could send a specially crafted file that executes malicious code on the victim's machine simply through the preview pane, without requiring the victim to open the file.
Table 3. Critical vulnerabilities in Microsoft Office Severity CVSS Score CVE Description Critical 8.4 CVE-2026-26110 Microsoft Office Remote Code Execution Vulnerability Critical 8.4 CVE-2026-26113 Microsoft Office Remote Code Execution Vulnerability Critical Vulnerability in Microsoft Excel CVE-2026-26144 information disclosure vulnerability affecting Microsoft Excel and has a 7.5 . A cross-site scripting flaw in Microsoft Office Excel could allow remote attackers with no privileges to disclose sensitive information over a network through improper neutralization of input during web page generation.
The vulnerability requires no user interaction and has low attack complexity. Successful exploitation could potentially cause Copilot Agent mode to exfiltrate data via unintended network egress, enabling a zero-click information disclosure attack with high confidentiality impact. The Preview Pane is not an attack vector for this vulnerability. While no exploit code has been observed, Microsoft assesses exploitation as unlikely.
An official fix is available for customers to deploy. Table 4. Critical vulnerability in Microsoft Excel Severity CVSS Score CVE Description Critical 7.5 CVE-2026-26144 Microsoft Excel Information Disclosure Vulnerability Three Critical Vulnerabilities in Microsoft ACI Confidential Containers CVE-2026-23651 CVE-2026-26124 elevation of privilege vulnerabilities affecting Microsoft ACI Confidential Containers, and both have a 6.7 .
There is no evidence of exploitation in the wild. A permissive regular expression flaw (CVE-2026-23651) and a path traversal flaw (CVE-2026-26124) in Azure Compute Gallery could both allow local attackers with high privileges to elevate their privileges within the affected ACI container's context. These vulnerabilities require no user interaction and have low attack complexity. Successful exploitation of these vulnerabilities could enable attackers to escape access boundaries and perform actions beyond their authorized privilege level.
Microsoft assesses that exploitation is less likely and reports it has already fully mitigated these issues. CVE-2026-26122 information disclosure vulnerability affecting Microsoft ACI Confidential Containers and has a 6.5 . There is no evidence of exploitation in the wild. An insecure default initialization of a resource flaw in Azure Compute Gallery could allow remote attackers with low privileges to disclose sensitive information over a network.
This vulnerability requires no user interaction and has low attack complexity, with potential for high confidentiality impact. In confidential container scenarios, successful exploitation could enable attackers to access information that should be protected within the environment. No public exploit code exists, and Microsoft assesses exploitation as less likely. Microsoft reports it has fully mitigated this vulnerability server-side within the Azure Confidential ACI service.
Table 5. Critical vulnerabilities in Microsoft ACI Confidential Containers Severity CVSS Score CVE Description Critical 6.7 CVE-2026-23651 Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability Critical 6.7 CVE-2026-26124 Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability Critical 6.5 CVE-2026-26122 Microsoft ACI Confidential Containers Information Disclosure Vulnerability Publicly Disclosed Vulnerability in Microsoft SQL Server CVE-2026-21262 is an Important privilege escalation vulnerability affecting Microsoft SQL Server and has a 8.8 .
This vulnerability allows remote attackers with low privileges to gain SQL sysadmin privileges through an improper access control flaw. The vulnerability requires no user interaction and has low attack complexity. An attacker would need to log in to a vulnerable system before performing the privilege escalation. This vulnerability was publicly disclosed, though there is no evidence of exploitation. An official fix is available for customers to deploy.
Table 6. Important vulnerability in SQL Server Severity CVSS Score CVE Description Important 8.8 CVE-2026-21262 SQL Server Elevation of Privilege Vulnerability A Publicly Disclosed Vulnerability in Microsoft .NET CVE-2026-26127 denial-of-service (DoS) vulnerability affecting Microsoft .NET and has a 7.5 . This vulnerability allows a remote attacker to exploit an out-of-bounds read flaw to cause a DoS condition on affected systems.
While this vulnerability had been publicly disclosed, there is no evidence of exploitation, and Microsoft assesses that exploitation is unlikely. An official fix is available for customers to deploy. Table 7. Important vulnerability in Microsoft .NET Severity CVSS Score CVE Description Important 7.5 CVE-2026-26127 .NET Denial of Service Vulnerability Patch Tuesday Dashboard in the Falcon Platform For a visual overview of the systems impacted by this month’s vulnerabilities, you can use our Patch Tuesday dashboard.
This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities. Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies As we have learned with other notable vulnerabilities, such as Log4j , not every highly exploitable vulnerability can be easily patched.
As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists. Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization's methods for cybersecurity and improve your overall security posture. Learn More The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries.
Watch this demo to see the Falcon platform in action . Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here . About CVSS Scores Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics.
The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article . Additional Resources For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here . Learn how Falcon Exposure Management can help you discover and manage vulnerabilities and other exposures in your environments.
Make prioritization painless and efficient. Watch how Falcon Exposure Management enables IT staff to improve visibility with custom filters and team dashboards. Find out how CrowdStrike Falcon® Next-Gen Identity Security products can stop workforce identity threats faster. Test CrowdStrike next-gen antivirus for yourself with a free trial of CrowdStrike® Falcon Prevent™ . Related Content Categories CONNECT WITH US FEATURED ARTICLES May 06, 2026 May 05, 2026 SUBSCRIBE Sign up now to receive the latest notifications and updates from CrowdStrike.
Sign Up See CrowdStrike Falcon ® in Action Detect, prevent, and respond to attacks— even malware-free intrusions—at any stage, with next-generation endpoint protection. See Demo February 2026 Patch Tuesday: Six Zero-Days Among 59 CVEs Patched Privacy Request Info Contact Us 1.888.512.8906 Accessibility