Microsoft Patches 83 CVEs in March Update

Microsoft this week released patches for 83 CVEs across its product range, six of which it expects attackers are more like to exploit for a variety of reasons. This month's patch drop is bigger than last month's small 63-patch security update. It has the usual mix of bugs, including those that let hackers steal data, those that let them run code remotely (RCE), those that let them deny service, and those that let them escalate privileges.

However, there's little in the set that merits an immediate all-hands on-deck kind of response that some Microsoft updates warrant, according to some security experts. For the most part, Microsoft's March patch release should pose relatively fewer challenges than usual, observed Tyler Reguly, associated director of security R&D at Fortra.

Reguly told ZeroOwl, "I don't see a lot of reasons for people to be stressed." Sarwate said in an email that "elevation of privilege" is one of the attackers' main ways to get into networks and stay there. Related: A cyberattack on the government of Mexico Point out the AI threat ## Important RCE Bugs The RCE vulnerabilities that security experts pointed to as more noteworthy in this month's set are two affecting Microsoft Office: CVE-2026-26113 (CVSS 8.4) and CVE-2026-26110 (CVSS 8.4).

The Preview Pane is an attack vector in both cases, meaning a user could be compromised without having to open a malcious document or file.

Jack Bicer, director of vulnerability research at Action1, said in a statement, "If the security update can't be applied right away, companies should turn off the Preview Pane in file explorers and only open Office files from trusted sources." "Implementing email filtering, attachment scanning, and endpoint protection monitoring can also reduce the risk of malicious document delivery." This month, Microsoft released a list of vulnerabilities that are less likely to be exploited.

Two of them are CVE-2026-25190 (CVS 7.8), an RCE vulnerability in GDI, and CVE-2026-25181 (CVSS 7.5), an information disclosure vulnerability in GDI+, which are the graphics APIs in Windows.

Microsoft Patches 83 CVEs in March Update

Trending News

Coruna, DarkSword, and Democratizing Nation-State Exploit Kits

Coruna, DarkSword, and Democratizing Nation-State Exploit Kits

Apple Sends Lock Screen Alerts to Old iPhones About Active Web-Based Exploits

Apple Sends Lock Screen Alerts to Old iPhones About Active Web-Based Exploits

Wartime Usage of Compromised IP Cameras Highlight Their Danger

Wartime Usage of Compromised IP Cameras Highlight Their Danger

TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files

TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files

Hackers use phishing ZIP files to send PXA Stealer to steal money from banks and other financial institutions.

Hackers use phishing ZIP files to send PXA Stealer to steal money from banks and other financial institutions.

China improves the backdoor it uses to spy on telecom companies around the world.

China improves the backdoor it uses to spy on telecom companies around the world.

Telnyx PyPI Package With 742,000 downloads Compromised in TeamPCP Supply Chain Attack

Telnyx PyPI Package With 742,000 downloads Compromised in TeamPCP Supply Chain Attack

Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks

Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks

Attacks on infrastructure that have physical effects are down 25%.

Attacks on infrastructure that have physical effects are down 25%.

How mistakes can help businesses improve their security programs

How mistakes can help businesses improve their security programs