CyberLeveling Logo
Patch Tuesday Roundup – March 2026

Patch Tuesday Roundup – March 2026

A cross-vendor look at notable security advisories

Every month, Patch Tuesday tends to focus heavily on operating systems and common enterprise software. But the broader reality of modern infrastructure is that risk doesn’t live in one vendor ecosystem.

March 2026 is a good example of that. Alongside the typical operating system updates, a wide range of enterprise vendors released security advisories affecting storage platforms, networking equipment, web frameworks, enterprise middleware, and firmware.

This post walks through some of the more notable advisories released around the March Patch Tuesday cycle to help security and IT teams understand where attention may be needed.

Microsoft Patch Tuesday – March 2026

Key Windows and Office Vulnerabilities Explained

Microsoft’s March 10, 2026 Patch Tuesday addressed several vulnerabilities affecting core Windows components and Microsoft Office products. While none were confirmed to be exploited at the time of publication, multiple vulnerabilities could allow attackers to execute code, escalate privileges, or disclose sensitive information if left unpatched.

The vulnerabilities discussed in this advisory include:

  • CVE-2026-26107
  • CVE-2026-26128
  • CVE-2026-25190
  • CVE-2026-25189
  • CVE-2026-25186

Together, these vulnerabilities highlight common attack patterns involving malicious files, memory corruption, and privilege escalation within Windows systems.

Vulnerability Overview

CVEImpactSeverityKey Risk
CVE-2026-26107Remote Code ExecutionImportantMalicious Excel file execution
CVE-2026-26128Elevation of PrivilegeImportantSYSTEM privilege escalation
CVE-2026-25190Remote Code ExecutionImportantDLL search path hijacking
CVE-2026-25189Elevation of PrivilegeImportantUse-after-free memory bug
CVE-2026-25186Information DisclosureImportantSensitive data exposure

Remote Code Execution Vulnerabilities

1. Excel Remote Code Execution

CVE-2026-26107

This vulnerability occurs due to a use-after-free memory condition within Microsoft Excel.

Attack scenario
  • An attacker creates a malicious Excel spreadsheet.
  • The file is distributed through phishing emails or downloads.
  • The victim opens the file.
  • Malicious code executes with the user's privileges.
Important details
  • Attack vector: Local
  • User interaction required
  • Preview Pane is not an attack vector
Affected products
  • Microsoft Excel
  • Microsoft 365 Apps for Enterprise
  • Office 2019
  • Office LTSC 2021 / 2024
  • Office Online Server
  • Excel 2016

2. Windows GDI Remote Code Execution

CVE-2026-25190

This vulnerability exists in the Windows Graphics Device Interface (GDI) due to an untrusted search path vulnerability.

Root cause

The system may load malicious DLL files from unsafe directories.

Attack scenario
  • Attacker creates a malicious installer.
  • Installer contains a malicious DLL.
  • Victim extracts the installer from an untrusted location.
  • Windows loads the attacker-controlled DLL.

This allows arbitrary code execution.

Privilege Escalation Vulnerabilities

3. Windows SMB Server Elevation of Privilege

CVE-2026-26128

This vulnerability occurs due to improper authentication handling in the SMB server component.

Key characteristics
  • Attack vector: Local
  • Privileges required: Low
  • User interaction: None
Impact

An attacker who successfully exploits the vulnerability could gain SYSTEM privileges, allowing:

  • installation of malware
  • modification of system files
  • persistence on compromised systems

4. Windows DWM Core Library Elevation of Privilege

CVE-2026-25189

This vulnerability is caused by a use-after-free flaw in the Desktop Window Manager core library.

Impact

Attackers could escalate privileges to SYSTEM level, gaining full control over the affected system.

Component affected

Windows Desktop Window Manager (DWM), which manages graphical rendering in Windows.

Information Disclosure Vulnerability

5. Windows Accessibility Infrastructure Information Disclosure

CVE-2026-25186

This vulnerability affects Windows Accessibility Infrastructure (ATBroker.exe).

Root cause

Exposure of sensitive information to unauthorized actors.

Potential data exposed
  • user credentials
  • application secrets
  • privileged user data

Although it does not directly allow code execution, it can support attack chains leading to privilege escalation or lateral movement.

Discovery

Reported by James Forshaw from Google Project Zero.

Affected Windows Systems

These vulnerabilities affect a broad range of Windows platforms.

Windows Client

  • Windows 10 1607
  • Windows 10 1809
  • Windows 10 21H2
  • Windows 10 22H2
  • Windows 11 23H2
  • Windows 11 24H2
  • Windows 11 25H2
  • Windows 11 26H1

Windows Server

  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022
  • Windows Server 2025

Security update examples include:

  • KB5078752
  • KB5078766
  • KB5078737
  • KB5078885
  • KB5079473
  • KB5079420

Patch Priority Recommendations

Security teams should prioritize patching based on impact and exploitation potential.

Highest Priority

Patch immediately:

  • CVE-2026-26107
  • CVE-2026-25190

These vulnerabilities allow attackers to execute arbitrary code.

High Priority

Patch as soon as possible:

  • CVE-2026-26128
  • CVE-2026-25189

These vulnerabilities allow attackers to gain SYSTEM privileges.

Moderate Priority

Patch during regular update cycles:

  • CVE-2026-25186

Although less severe, information disclosure vulnerabilities can assist in complex attack chains.

Security Recommendations

Organizations should implement the following defensive practices.

Apply Microsoft Security Updates

Install the March 2026 security patches across all affected Windows and Office systems.

Enforce Least Privilege

Restrict administrative privileges to reduce the impact of privilege escalation vulnerabilities.

Strengthen Email Security

Since Office document vulnerabilities remain a common attack vector, organizations should:

  • block suspicious attachments
  • use advanced phishing protection
  • deploy email sandboxing

Monitor SMB Activity

Security teams should monitor abnormal SMB traffic patterns to detect exploitation attempts.

Deploy Endpoint Detection and Response

EDR solutions can help detect:

  • malicious DLL loading
  • privilege escalation attempts
  • suspicious Office document behavior

Conclusion

The March 2026 Patch Tuesday highlights the ongoing risk posed by vulnerabilities in core Windows components and widely used productivity software.

Even though Microsoft assessed exploitation as unlikely at release time, attackers frequently combine vulnerabilities like these to create multi-stage attack chains, including:

  • Initial access through malicious documents
  • Privilege escalation on compromised systems
  • Lateral movement within enterprise networks

Organizations should ensure these updates are applied promptly and maintain strong monitoring capabilities to detect exploitation attempts. For more information, visit the Microsoft Security Update Guide.

Dell Security Advisories

Dell released several high-severity updates affecting enterprise storage and data protection platforms.

Connectrix B-Series SANnav

Advisory: DSA-2026-088

Multiple vulnerabilities were addressed across SANnav components, including issues that could potentially lead to privilege escalation or unauthorized access.

Affected CVEs include:

  • CVE-2025-12680
  • CVE-2025-12679
  • CVE-2025-12772
  • CVE-2025-12773
  • CVE-2025-12774
  • CVE-2025-26465
  • CVE-2025-27818 / CVE-2025-27819
  • CVE-2025-32728
  • CVE-2025-4207
  • plus several third-party dependency issues

Connectrix B-Series Fabric OS and SANnav

Advisory: DSA-2026-087

This update includes vulnerabilities affecting both Fabric OS and SANnav, including older dependency issues dating back to earlier components.

Example CVEs include:

  • CVE-2026-0383
  • CVE-2025-58379 / CVE-2025-58380 / CVE-2025-58381
  • CVE-2025-58382 / CVE-2025-58383
  • CVE-2024-26923
  • CVE-2023-52426

Avamar Data Store Gen5A

Advisory: DSA-2026-086

This advisory addresses multiple vulnerabilities originating from bundled third-party components.

Examples include:

  • CVE-2025-31146
  • CVE-2025-25273
  • CVE-2025-26863
  • CVE-2025-26697
  • CVE-2025-24486

Organizations running Avamar backup infrastructure should review these updates carefully, as backup systems often sit deep in core infrastructure.

Drupal Security Advisories

Two security advisories were published for contributed Drupal modules.

Unpublished Node Permissions (Critical)

SA-CONTRIB-2026-029

Severity: Critical

An access control issue allows bypassing restrictions on unpublished translated nodes. In certain configurations this could allow unauthorized viewing of unpublished content.

AI Module (Moderately Critical)

SA-CONTRIB-2026-028

Severity: Moderately Critical

Some AI-related modules allow LLM-generated HTML or Markdown content to be rendered in a browser preview. Under specific circumstances this rendering process could expose sensitive data associated with the LLM request.

This advisory highlights a newer class of risk tied to AI integrations within CMS platforms.

F5 Security Advisories

F5 released advisories covering multiple third-party components used within their products.

Intel CPU Vulnerability

CVE-2025-20109

Improper isolation in the stream cache mechanism of certain Intel processors may allow privilege escalation through local access.

Curl Vulnerability

CVE-2025-14524

A redirect issue involving OAuth2 bearer tokens could potentially expose tokens during cross-protocol redirects involving protocols such as:

  • IMAP
  • LDAP
  • POP3
  • SMTP

PostgreSQL Vulnerabilities

Two PostgreSQL issues were also highlighted:

  • CVE-2025-12817 – authorization issue in CREATE STATISTICS
  • CVE-2025-12818 – integer wraparound in libpq client library functions

Intel 800 Series Ethernet Driver

CVE-2025-24325

Improper input validation in the Linux kernel driver may allow local privilege escalation.

Apache Solr

CVE-2026-22444

Unexpected configuration access may allow users to create cores using unintended configsets, potentially leading to further compromise.

Fortinet Security Advisories

Several vulnerabilities were disclosed affecting Fortinet platforms including FortiManager, FortiAnalyzer, FortiSandbox, and FortiSwitch.

Notable examples include:

High Severity

FG-IR-26-098
CVE-2025-54820 – buffer overflow in the fgtupdates service that could allow remote code execution.

FG-IR-26-092
CVE-2025-68648 – format string vulnerability in the fazsvcd service.

Medium Severity

Examples include:

  • CVE-2026-22572 – MFA bypass in GUI authentication
  • CVE-2026-25836 – OS command injection in VM image update feature
  • CVE-2025-49784 – SQL injection in JSON-RPC API
  • CVE-2025-68482 – TLS certificate validation issue during SSO authentication
  • CVE-2025-48418 – privilege escalation via undocumented CLI command

Other Notable Issues

  • SSL-VPN persistence patch bypass (CVE-2025-68686)
  • Authentication lockout bypass race condition (CVE-2026-22629)

Network security infrastructure is frequently targeted by attackers, making these updates particularly important for organizations using Fortinet platforms.

HP and HPE Security Updates

Several advisories were published across firmware, device management, and networking products.

HP Device Manager

Severity: Critical

The update addresses a large set of vulnerabilities affecting HP Device Manager 5.0.16 including:

  • CVE-2025-14180
  • CVE-2025-14177
  • CVE-2025-1735
  • CVE-2025-53066
  • CVE-2025-59775

Intel UEFI Reference Firmware

Multiple vulnerabilities affecting UEFI implementations:

  • CVE-2025-20064
  • CVE-2025-20105
  • CVE-2025-20027
  • CVE-2025-20068

Firmware vulnerabilities can be particularly impactful because they sit below the operating system layer.

HPE Server and Networking Advisories

Examples include:

  • Aruba AOS-CX networking platform vulnerabilities
  • HPE Telco Intelligent Assurance vulnerability (CVE-2025-33042)
  • Intel processor firmware issues affecting ProLiant and other HPE systems

IBM Security Advisories

IBM released a large set of advisories across several enterprise platforms.

Affected products include:

  • IBM Guardium Data Protection
  • IBM Knowledge Catalog Premium Cartridge
  • IBM Watsonx BI Assistant
  • IBM MQ
  • IBM Spectrum Protect Plus
  • IBM WebMethods BPM
  • IBM Sterling B2B Integrator
  • IBM Instana Observability
  • IBM Aspera Orchestrator

Many of the issues stem from third-party dependency vulnerabilities in components such as:

  • Java runtimes
  • MongoDB
  • Node.js
  • Go libraries
  • Linux kernel components
  • Spring frameworks

A few examples include:

  • CVE-2025-15467 (critical in IBM MQ)
  • CVE-2024-57965 (critical in Knowledge Catalog)
  • CVE-2025-68121 (critical affecting Instana components)

Large enterprise platforms frequently aggregate many dependencies, so advisories often cover dozens of CVEs in a single update.

Ivanti Security Advisories

Ivanti also released advisories affecting endpoint and device management platforms.

Ivanti DSM

CVE-2026-3483

An exposed dangerous method in Ivanti DSM prior to version 2026.1.1 could allow a local attacker to exploit the application.

Ivanti Endpoint Manager

Two vulnerabilities were addressed:

  • CVE-2026-1602 – SQL injection
  • CVE-2026-1603 – authentication bypass

Endpoint management platforms often operate with elevated privileges, making timely patching especially important.

Key Takeaways

Looking across the March 2026 advisories, several patterns stand out:

  • Third-party dependencies continue to drive vulnerability exposure

    Many advisories originate from embedded components such as:

    • Java libraries
    • Open-source frameworks
    • container runtimes
    • networking libraries
  • Infrastructure software remains a critical attack surface

    Several updates affect infrastructure layers including:

    • SAN storage platforms
    • enterprise backup systems
    • firmware and UEFI
    • network appliances
    • management platforms
  • Security tools themselves are not immune

    Platforms designed to improve security posture (SIEM, observability, firewall management, endpoint management) frequently appear in patch cycles as well.

Recommendations for Security Teams

Some practical steps organizations should consider during each Patch Tuesday cycle:

  1. Maintain a vendor inventory

    Know which platforms your organization depends on, including infrastructure tools that may not be as visible as operating systems.

  2. Monitor vendor advisories

    Many critical vulnerabilities are published outside traditional OS patch cycles.

  3. Track third-party components

    A vulnerability in a common library may affect multiple vendors simultaneously.

  4. Prioritize infrastructure platforms

    Systems like storage controllers, management platforms, and network appliances often have high privileges and broad access.

Disclaimer

This post provides an overview of selected advisories released around the March 2026 Patch Tuesday timeframe across several vendors.

It is not a complete list of all vulnerabilities or advisories published during this period.

Every organization operates a different technology stack, and security teams should always review advisories from the vendors whose products are deployed in their environment. Monitoring official vendor security bulletins remains the most reliable way to ensure timely awareness and patching of relevant vulnerabilities.