March Patch Tuesday 2026: No Zero-Days, No Excuses

The email lands in your inbox. "Microsoft March 2026 Patch Tuesday: no actively exploited zero-days at release." And somewhere in your building, someone in finance or senior management reads that summary and thinks: quiet month, we can defer.

They are wrong. And this post explains exactly why.

Microsoft shipped its March 2026 security update on 10 March. It is the first Patch Tuesday in six months without a confirmed active zero-day at release time. That is genuinely notable. It is not, however, permission to relax.

Here is what this month actually contains: two publicly disclosed vulnerabilities, six Windows elevation-of-privilege flaws that Microsoft itself has rated as "Exploitation More Likely", and three Critical-rated vulnerabilities in Microsoft Office and Excel, including one that can leverage Copilot Agent to quietly exfiltrate data with almost no user interaction required.

That is your quiet month.

What "No Zero-Day" Actually Means

Let us be precise about the terminology, because it matters when you are briefing a board or explaining a patch schedule to a client.

Microsoft classifies a zero-day as a vulnerability that was either publicly disclosed or actively exploited before a fix was available. This month has two that meet the public disclosure criterion.

CVE-2026-21262 is a SQL Server elevation-of-privilege flaw with a CVSS score of 8.8. An authorised attacker can exploit improper access control to escalate to sysadmin level over the network. If you have a CRM, an accounting package, or any line-of-business application running on SQL Server 2016 or later with network-reachable instances, this is not an academic risk. It was disclosed through a published technical article before the patch dropped, which means the research is already out there.

CVE-2026-26127 is a denial-of-service vulnerability in .NET 9.0 and 10.0 with a CVSS of 7.5. An unauthenticated attacker can trigger an out-of-bounds read over the network. Microsoft rates exploitation as unlikely, and Tenable's Satnam Narang described both of these disclosed items as having "more bark than bite". That assessment is reasonable: neither has been seen in active attacks. But public disclosure still shortens your window, because it gives attackers a head start on weaponising the research.

The point is this: "no actively exploited zero-day" is not the same as "nothing urgent here". It is a precise technical status, not a risk rating.

The Six Privilege Escalation Flaws You Need to Understand

The structural story of March 2026 is elevation of privilege. More than 55% of this month's patches address EoP vulnerabilities. Six of them carry Microsoft's "Exploitation More Likely" rating, which is as close as Microsoft gets to saying "we expect someone to build an exploit for this."

All six affect foundational Windows components:

CVEComponentCVSSWhat It DoesCVE-2026-23668Windows Graphics Component7.0Two race conditions (cdd.dll and win32kfull) leading to SYSTEMCVE-2026-24289Windows Kernel7.8Memory corruption and race condition, results in SYSTEM accessCVE-2026-24291Windows Accessibility Infrastructure7.8Incorrect permission assignments allow escalation to SYSTEMCVE-2026-24294Windows SMB Server7.8Improper authentication in the core SMB componentCVE-2026-25187Winlogon7.8Process weakness discovered by Google Project ZeroCVE-2026-26132Windows Kernel7.8Allows attacker to obtain administrator privileges

Why do these matter specifically for small businesses? Because this is exactly how a real-world breach unfolds after the initial foothold.

Think about the typical attack path: a user clicks something they should not have, an attacker lands as a standard user on a shared Windows 11 desktop or a Remote Desktop Services host. At that point, they are limited. What they need next is an elevation-of-privilege exploit, something that takes them from "random user" to SYSTEM or domain administrator. That is what these six vulnerabilities provide. Kernel bugs, a Winlogon weakness, an SMB authentication flaw: the components that get chained together after a phish to turn one compromised account into full environment control.

Six of those components have now been publicly documented as vulnerable, rated more likely to be exploited than not, and are waiting to be patched on your estate.

The Copilot Problem: CVE-2026-26144

This is the one that deserves a separate conversation in any organisation using Microsoft 365 Copilot.

CVE-2026-26144 is rated Critical. Officially, it is classified as an information disclosure vulnerability in Microsoft Excel. Do not let that description lull you into treating it as low priority.

ZDI's Dustin Childs has described it as a cross-site scripting-style flaw that an attacker can use to cause Copilot Agent mode to exfiltrate data from the target. Microsoft's own description confirms the vulnerability could cause Copilot Agent mode to send data via unintended network egress. The key phrase in Graham's podcast summary is accurate: this is "near zero-click from the user's point of view."

What that looks like in practice: an attacker gets a crafted workbook into your environment, via email, SharePoint, Teams, or any shared document channel. Your finance director has Copilot in Excel open across their cashflow model and payroll spreadsheets. They interact with that workbook in the normal course of their work. Copilot Agent, which you have helpfully connected to their OneDrive, their inbox, and their board folder, begins quietly sending data somewhere it should not.

The user thinks they are using AI to tidy a spreadsheet. The data is leaving the building.

This is not a theoretical attack class. It is a documented vulnerability with a published CVE, a Critical rating from Microsoft, and detailed public analysis from ZDI. If you have Copilot deployed, this needs to be at the top of your patching queue today.

The Preview Pane Risk: CVE-2026-26110 and CVE-2026-26113

Two further Critical-rated Office vulnerabilities deserve explicit mention, because the attack vector is one that catches organisations off guard.

Both CVE-2026-26110 (type confusion, CVSS 8.4) and CVE-2026-26113 (untrusted pointer dereference, CVSS 8.4) are remote code execution vulnerabilities. The attack vector in both cases is the Preview Pane.

Your users do not need to open, download, or execute anything. Browsing a shared mailbox in Outlook, clicking around a SharePoint library with document preview enabled, previewing an attachment rather than opening it: in the right conditions, a malicious Office file in that path is sufficient for exploitation.

Think about which of your staff members habitually work this way. Your accounts team in shared mailboxes. Your HR team reviewing CVs from SharePoint. Your project managers previewing attachments before committing to download them. This is normal user behaviour, not careless behaviour, and it is precisely the behaviour these vulnerabilities exploit.

Microsoft rates exploitation as "less likely." That assessment applies to a fully patched environment. It does not apply to the RDS host that has been deferred for two months, or the shared workstation with Office builds from Q4 last year.

Windows Updates Are Binary

One more principle worth stating clearly, because it comes up in almost every deferred patching conversation.

Windows cumulative updates do not offer you the option to select individual CVEs. You cannot say "install the Copilot fix but skip the kernel patch." You cannot install the Winlogon hardening without taking the whole of March. The cumulative update is a single payload. You either take all of it, or you take none of it.

That means if you are holding back the March cumulative because someone decided it was a quiet month, you are also holding back: the kernel fixes, the SMB authentication patch, the Winlogon hardening, the accessibility permissions cleanup, the graphics race condition patch, and every preceding month you have not yet applied.

You are not choosing to defer a few edge-case CVEs. You are choosing how long your estate remains exploitable via well-documented, publicly rated privilege escalation paths.

Your Practical Checklist for This Week

Step one: Verify actual build numbers, not dashboard statuses. Check real installed build numbers on a representative sample: one front-line laptop, one shared workstation, one server if you have on-premises infrastructure. Patch management dashboards report compliance against policy; they do not always reflect reality. Confirm the March Office builds containing the Copilot and Preview Pane fixes are installed, and that the March Windows cumulative is on your key devices.

Step two: Map your Copilot exposure. Not "we purchased 50 licences." Identify by name which users have Copilot Agent mode active, which data sources it is connected to, and whether those users are on fully patched Office and Windows builds. Executives, finance, legal, anyone with access to payroll, M&A materials, or investor documents: these users are highest risk and move to the front of your patch queue immediately.

Step three: Sense-check your DLP and egress logging for AI tools. You do not need a six-month project. Verify that whatever data loss prevention controls you already have can see Copilot traffic. Confirm that egress logging is actually enabled and not turned off to save storage. If large volumes of sensitive data start moving toward unexpected destinations, do you have anything in place that would flag it?

Step four: Roll in same-cadence third parties. While you have a patch window open, Adobe Acrobat and Reader need attention. This month is the quarterly Acrobat update (APSB26-26) with Critical code execution and privilege escalation flaws. If your users open PDFs from email or the web, treat the Adobe surface as the same risk level as Office. One maintenance window, both closed.

Step five: If you deferred the 2 March OOB update, verify it is now covered. Microsoft released an out-of-band update on 2 March 2026 (KB5082314) for Windows Server 2022 addressing a certificate renewal issue for Windows Hello for Business in ADFS deployments. That fix is rolled into the March cumulative. If you deferred KB5082314, the March update closes the gap. Confirm it has landed.

How to Turn This Into a Competitive Advantage

Patch Tuesday discipline is not glamorous. It does not make headlines unless you miss it and something goes wrong. But consistent, documented patch management is increasingly a differentiator for small businesses operating in supply chains where enterprise customers are scrutinising their security posture.

Use the Copilot angle to have a genuine conversation with clients. Most small businesses have deployed Microsoft 365 Copilot without a corresponding review of their DLP policies or data egress controls. CVE-2026-26144 gives you a specific, documented reason to have that conversation now. Offer a Copilot security review as a value-added service or as part of onboarding.

Turn your patch cadence into documented evidence. If you are working toward Cyber Essentials certification (or the updated v3.3 requirements arriving in April 2026), a consistent patching record is part of the evidence base. Log what was patched, when, and against which CVEs. That documentation has value both for certification and for demonstrating due diligence to insurers.

Get ahead of the Secure Boot deadline. The March update continues the Secure Boot KEK rollout, replacing 2011 certificates with the 2023 set. The June 2026 expiry is less than three months away. If you manage a mixed device estate with older hardware or OEM-specific firmware requirements, now is the time to identify any devices that will not receive the automatic rollout. Leaving this until May is going to cause problems.

How to Sell This to Your Board

The board-level summary for March 2026 Patch Tuesday is straightforward.

The risk is not zero-days. There are no actively exploited zero-days this month. What there are is six well-documented privilege escalation vulnerabilities in core Windows components, rated by Microsoft as more likely than not to be weaponised, plus a Critical Excel vulnerability that could let an attacker use your AI productivity tool against you. The absence of a dramatic headline does not mean the risk is low.

The Copilot exposure is a new category of risk. If you have deployed Microsoft 365 Copilot, you have expanded your attack surface in ways that traditional perimeter controls do not address. CVE-2026-26144 is the first high-profile example of AI tool exploitation in a Patch Tuesday release. It will not be the last. The business case for patching promptly, and for reviewing your DLP policies against AI data flows, is now documented and verifiable.

Deferred patching has a calculable cost. Every month you defer the Windows cumulative, you carry an additional layer of exploitable vulnerabilities. The six Exploitation More Likely EoPs from this month join whatever is already outstanding. At some point, that stack becomes the attack path. The cost of a credential escalation incident, in investigation time, operational disruption, and potential regulatory notification, substantially exceeds the cost of a patch window.

What This Means for Your Business

1. Apply the March cumulative update this week. Not next quarter, not when it feels urgent. The EoP components are exactly what attackers use after initial compromise. Close those doors.

2. Audit your Copilot deployment before next week. Know which users have Agent mode, what data it can access, and whether your DLP policies actually cover AI-mediated data flows. CVE-2026-26144 is patched in the March Office build, but you need to know your exposure exists before you can confirm it is remediated.

3. Add Adobe Acrobat to this month's patch run. If you patch Windows and Microsoft 365 but leave the quarterly Acrobat update until it suits you, you have left a well-documented code execution path open for no reason.

4. Check your Windows 10 estate for the hibernation issue. The March ESU update (KB5078885) resolves an issue where Secure Launch-capable Windows 10 PCs with Virtual Secure Mode enabled could not shut down or hibernate following the January update. If your estate has experienced unexpected restarts, this is the fix.

5. Note the Sysmon change for Windows 11. Sysmon is now available as a native optional Windows 11 feature. If you have the Sysinternals version installed, uninstall it before enabling the built-in version. Relevant if you use Sysmon for threat hunting or incident response telemetry.

No drama, no doom. Just a month's worth of documented vulnerabilities that need closing before someone else closes them for you.

Listen to the Full Discussion

This post supports the March 2026 Patch Tuesday Hot Takes episode of The Small Business Cyber Security Guy podcast. Graham Falkner walks through the full release, the cumulative update principle, the Copilot exfiltration risk, and the practical checklist in detail.