MICROSOFT released patches for 83 CVEs across its product range in March, a larger drop than last month’s 63-patch update. The bundle includes a mix of privilege-escalation, remote-code-execution (RCE) and denial-of-service flaws, with eight vulnerabilities rated as critical; one CVSS 9.8 issue, CVE-2027-21536, relates to the Microsoft Devices Pricing Program for channel partners and distributors.
For the most part, the update is not expected to cause widespread panic, and security experts say organisations can apply patches after testing, rather than rushing deployments, according to Tyler Reguly, associated director of security R&D at Fortra. Elevation-of-privilege bugs dominated this month’s fixes, comprising about 55.4% of patched CVEs by Tenable’s count, including three affecting the Windows kernel: CVE-2026-24289, CVE-2026-26132 and CVE-2026-24287, all rated CVSS 7.8.
Notable RCE items include CVE-2026-26113 and CVE-2026-26110 in Microsoft Office, with the Preview Pane as an attack vector, while two GDI flaws (CVE-2026-25190 and CVE-2026-25181) could enable a dual-stage attack when chained.