Microsoft's March 2026 security updates include 83 new CVE fixes affecting various products, including Windows Server core services and Azure IoT Explorer. The most critical patch is a CVE-rated 9.8 in the Microsoft Devices Pricing Program, which could allow an attacker to read sensitive telemetry if they send a malformed request. Hotpatching is now available for Azure VM images, allowing users to apply patches without restarting their virtual machines. Users should prioritize applying patches with CVSS scores above 8 and consider their exposure to vulnerabilities when deciding which patches to install first.
Microsoft March 2026 Security Updates: What You Need to Know Before Installing
In the latest monthly wave of patches, Microsoft shipped 83 new CVE fixes that touch everything from Windows Server core services to Azure IoT Explorer and even Microsoft Edge. The goal today is to help you decide which updates matter for your environment and how to get them applied without breaking daily workflows.
Why the March 2026 Patch Set Is Different
The biggest headline this month is a CVE‑rated 9.8 in the Microsoft Devices Pricing Program (CVE‑2026‑21536). In practice, that means if you run Windows Store apps or any software that pulls device pricing data from Microsoft’s cloud, there’s a small chance a malformed request could let an attacker read sensitive telemetry. Most users won’t feel the impact until they hit that specific API path—so it’s not a “plug‑and‑play” risk for everyone.
Another notable entry is CVE‑2026‑20967 in System Center Operations Manager, scoring 8.8. A misconfigured SCOM console can expose internal network metadata to an external attacker. If you run legacy SCOM versions on older Windows Server 2008 R2 boxes, that’s the one to check first.
Hotpatching and What It Means for Your VMs
Microsoft’s Hotpatching feature is now GA for Azure VM images. If your workloads are running on an Azure Standard or Premium VM with the latest Servicing Stack (look in your image for the “ADV” tag), you can apply most of these patches without a reboot. The process still involves calling the Windows Update Agent, but it will push changes to memory and avoid downtime.
The command‑line workflow stays the same:
- Verify you’re on an Azure‑approved image – look at the Microsoft-Windows-ServicingStack version in PowerShell:
Get-CimInstance -ClassName Win32_OperatingSystem | Select-Object Caption,Version,BuildNumber - Check the Hotpatch state – a quick query tells you if hotpatching is enabled:
powershell.exe -Command "Get-WmiObject -Namespace root\Microsoft\Windows\Update -Class MSFT_ScheduledTask | Where-Object {$_.Name -eq 'HotPatch'}" - Trigger an update cycle – run the standard update agent but with a forced patch set:
wuauclt.exe /detectnow /updatenow
Why bother? Because any “cold” reboot on production VMs can cost you hours of service, especially in distributed builds that rely on Windows Server 2019 or later. Hotpatching gives you a safety net for the majority of critical fixes.
Edge, GitHub, and The Outside‑World CVEs
Microsoft Edge (Chromium) received five new vulnerabilities (CVE‑2026‑3536 to CVE‑2026‑3545). They’re all “Exploitation Unlikely,” but they touch the renderer process, meaning a malicious web page could crash your browser or open a sandbox escape. If you run Edge in kiosk mode for public terminals or rely on it for internal tooling, you should update immediately.
Meanwhile, GitHub’s Microsoft Semantic Kernel Python SDK (CVE‑2026‑26030) is still an external CVE that Microsoft tracks because the SDK is distributed through PyPI. The issue involves a type‑confusion bug that could let a crafted package raise an exception in your inference loop—usually harmless but annoying if you’re training models on a CI server.
How to Prioritize Which Patches To Apply
- Look at the CVSS score – anything above 8 is worth applying ASAP, especially for core services like SMB Server (CVE‑2026‑23669) or Windows Kernel (CVE‑2026‑24287).
- Consider your exposure – if you’re a cloud‑native team on Azure Kubernetes Service, the Azure Compute Gallery CVEs (CVE‑2026‑23651 and CVE‑2026‑26122) are less relevant than the Azure IoT Explorer ones that could let an attacker read telemetry from connected devices.
- Check for hotpatch – if you’re on a supported image, apply hotpatchable fixes first to keep services running.
If you run Windows 10 or 11 on-premises, remember the monthly cumulative update bundles all these patches together. Use the Microsoft Update Catalog or WSUS to pull them; it’s simpler than managing individual .msu files.
Keeping Your System Clean After Patching
Once you’ve installed, reboot only if the patch explicitly requires it (most of the newer ones don’t). Then run a quick integrity check:
sfc /scannow
This verifies system files haven’t been corrupted during the update. If SFC flags errors, run DISM /Online /Cleanup-Image /RestoreHealth to pull clean copies from Windows Update.
Also, keep an eye on the Security Update Guide blog posts—Microsoft’s December 2020 entry on “Vulnerability Descriptions in the New Version” still highlights how they publish machine‑readable CSAF files. If you automate your patch compliance checks (via SCCM or a custom script), pull those JSON feeds to stay ahead of any new workarounds.
Security Update Guide - Microsoft Security Response Center
This release consists of the following 83 Microsoft CVEs:
Tag CVE Base Score System Center Operations Manager CVE-2026-20967 8.8 SQL Server CVE-2026-21262 8.8 Microsoft Devices Pricing Program CVE-2026-21536 9.8 Azure Compute Gallery CVE-2026-23651 6.7 GitHub Repo: zero-shot-scfoundation CVE-2026-23654 8.8 Windows App Installer CVE-2026-23656 5.9 Azure Portal Windows Admin Center CVE-2026-23660 7.8 Azure IoT Explorer CVE-2026-23661 7.5 Azure IoT Explorer CVE-2026-23662 7.5 Azure IoT Explorer CVE-2026-23664 7.5 Azure Linux Virtual Machines CVE-2026-23665 7.8 Broadcast DVR CVE-2026-23667 7.0 Microsoft Graphics Component CVE-2026-23668 7.0 Windows Print Spooler Components CVE-2026-23669 8.8 Windows Bluetooth RFCOM Protocol Driver CVE-2026-23671 7.0 Windows Universal Disk Format File System Driver (UDFS) CVE-2026-23672 7.8 Windows Resilient File System (ReFS) CVE-2026-23673 7.8 Windows MapUrlToZone CVE-2026-23674 7.5 Push Message Routing Service CVE-2026-24282 5.5 Windows File Server CVE-2026-24283 8.8 Windows Win32K CVE-2026-24285 7.0 Windows Kernel CVE-2026-24287 7.8 Windows Mobile Broadband CVE-2026-24288 6.8 Windows Kernel CVE-2026-24289 7.8 Windows Projected File System CVE-2026-24290 7.8 Windows Accessibility Infrastructure (ATBroker.exe) CVE-2026-24291 7.8 Connected Devices Platform Service (Cdpsvc) CVE-2026-24292 7.8 Windows Ancillary Function Driver for WinSock CVE-2026-24293 7.8 Windows SMB Server CVE-2026-24294 7.8 Windows Device Association Service CVE-2026-24295 7.0 Windows Device Association Service CVE-2026-24296 7.0 Windows Kerberos CVE-2026-24297 6.5 Windows Performance Counters CVE-2026-25165 7.8 Windows System Image Manager CVE-2026-25166 7.8 Microsoft Brokering File System CVE-2026-25167 7.4 Microsoft Graphics Component CVE-2026-25168 6.2 Microsoft Graphics Component CVE-2026-25169 6.2 Role: Windows Hyper-V CVE-2026-25170 7.0 Windows Authentication Methods CVE-2026-25171 7.0 Windows Routing and Remote Access Service (RRAS) CVE-2026-25172 8.8 Windows Routing and Remote Access Service (RRAS) CVE-2026-25173 8.0 Windows Extensible File Allocation CVE-2026-25174 7.8 Windows NTFS CVE-2026-25175 7.8 Windows Ancillary Function Driver for WinSock CVE-2026-25176 7.8 Active Directory Domain Services CVE-2026-25177 8.8 Windows Ancillary Function Driver for WinSock CVE-2026-25178 7.0 Windows Ancillary Function Driver for WinSock CVE-2026-25179 7.0 Microsoft Graphics Component CVE-2026-25180 5.5 Windows GDI+ CVE-2026-25181 7.5 Windows Shell Link Processing CVE-2026-25185 5.3 Windows Accessibility Infrastructure (ATBroker.exe) CVE-2026-25186 5.5 Winlogon CVE-2026-25187 7.8 Windows Telephony Service CVE-2026-25188 8.8 Windows DWM Core Library CVE-2026-25189 7.8 Windows GDI CVE-2026-25190 7.8 Microsoft Office SharePoint CVE-2026-26105 8.1 Microsoft Office SharePoint CVE-2026-26106 8.8 Microsoft Office Excel CVE-2026-26107 7.8 Microsoft Office Excel CVE-2026-26108 7.8 Microsoft Office Excel CVE-2026-26109 8.4 Microsoft Office CVE-2026-26110 8.4 Windows Routing and Remote Access Service (RRAS) CVE-2026-26111 8.8 Microsoft Office Excel CVE-2026-26112 7.8 Microsoft Office CVE-2026-26113 8.4 Microsoft Office SharePoint CVE-2026-26114 8.8 SQL Server CVE-2026-26115 8.8 SQL Server CVE-2026-26116 8.8 Azure Windows Virtual Machine Agent CVE-2026-26117 7.8 Azure MCP Server CVE-2026-26118 8.8 Azure IoT Explorer CVE-2026-26121 7.5 Azure Compute Gallery CVE-2026-26122 6.5 Microsoft Authenticator CVE-2026-26123 5.5 Azure Compute Gallery CVE-2026-26124 6.7 Payment Orchestrator Service CVE-2026-26125 8.6 .NET CVE-2026-26127 7.5 Windows SMB Server CVE-2026-26128 7.8 ASP.NET Core CVE-2026-26130 7.5 .NET CVE-2026-26131 7.8 Windows Kernel CVE-2026-26132 7.8 Microsoft Office CVE-2026-26134 7.8 Azure Arc CVE-2026-26141 7.8 Microsoft Office Excel CVE-2026-26144 7.5 Azure Entra ID CVE-2026-26148 8.1 We are republishing 10 non-Microsoft CVEs:
CNA Tag CVE GitHub Microsoft Semantic Kernel Python SDK CVE-2026-26030 Chrome Microsoft Edge (Chromium-based) CVE-2026-3536 Chrome Microsoft Edge (Chromium-based) CVE-2026-3538 Chrome Microsoft Edge (Chromium-based) CVE-2026-3539 Chrome Microsoft Edge (Chromium-based) CVE-2026-3540 Chrome Microsoft Edge (Chromium-based) CVE-2026-3541 Chrome Microsoft Edge (Chromium-based) CVE-2026-3542 Chrome Microsoft Edge (Chromium-based) CVE-2026-3543 Chrome Microsoft Edge (Chromium-based) CVE-2026-3544 Chrome Microsoft Edge (Chromium-based) CVE-2026-3545
