Patch Tuesday March 2026 - Critical Microsoft Security Patches

CVE-2026-23668 - 7.0 - Windows Graphics Component Elevation of Privilege Vulnerability

Ben McCarthy, Lead Cyber Security Engineer, Immersive

The vulnerability identified as CVE-2026-23668 is a critical flaw in the Windows Graphics Component that involves improper synchronization. It’s a race condition where the system fails to manage concurrent access to a shared memory resource or data structure. This happens when multiple threads or processes attempt to modify the same data simultaneously without the appropriate locking mechanisms, and because the sequence of events isn’t strictly enforced, an attacker can manipulate the timing of these operations to force the system into an unstable or unintended state.

To gain control, a threat actor must execute their malicious code at the exact millisecond that the Graphics Component is processing a specific task. While this requires a high degree of precision, modern automated scripts can repeat these attempts rapidly until the race is won.

Attackers prioritize elevation-of-privilege vulnerabilities like this one because they serve as a vital bridge in a multi-stage attack. While a hacker might initially gain access to a computer through a low-level user account or a restricted service, they’re often blocked from accessing sensitive files or installing software by the operating system's security boundaries. This specific flaw allows them to bypass those restrictions and gain full administrator rights.

The lack of required user interaction makes this an attractive target for automated malware and persistent threats. Since the exploit happens entirely in the background, a logged-in user would likely notice no signs of a compromise while the attacker gains the ability to disable antivirus software, exfiltrate encrypted data, or deploy ransomware across the entire system. Although the exploit code is currently unproven, the assessment that exploitation is more likely suggests the underlying logic of the flaw is well understood by researchers and could be weaponized quickly.

CVE-2026-24291 - 7.8 - Windows Accessibility Infrastructure

Ben McCarthy, Lead Cyber Security Engineer, Immersive

The vulnerability identified as CVE-2026-24291 resides in the Windows Accessibility Infrastructure and specifically affects the Assistive Technology Registration Broker, known as ATBroker.exe. This component is a critical part of the operating system that manages and launches accessibility tools such as Screen Reader or Magnifier. The core issue is categorized as CWE-732, which involves an incorrect permission assignment for a critical resource. This means that the file system permissions or registry keys associated with this broker were configured too loosely, allowing a standard user to modify or influence a process that should be restricted to high-level system accounts.

Since ATBroker.exe operates with elevated capabilities to manage desktop transitions and secure login screens, compromising it provides a path to the highest level of authority on a Windows machine.

This specific vulnerability is highly prized by threat actors because it offers a reliable transition from a limited user account to SYSTEM privileges. While many elevation flaws only grant Administrator status, gaining SYSTEM rights provides total control over the system and the ability to manipulate memory. This is the ultimate goal for any local attacker because it allows complete bypass of endpoint detection and response tools, which might otherwise block an Administrator but can’t easily stop a process running with the SYSTEM token.

The absence of any required user interaction makes this an ideal candidate for integration into automated lateral movement toolkits. A piece of malware that finds itself on a workstation with low privileges can use this flaw to gain the permissions necessary to dump credentials from memory, install persistent rootkits, or pivot to other machines on the network. Furthermore, because the vulnerability exists in a core accessibility component present on nearly every modern Windows installation, the potential attack surface is vast, making the rapid deployment of the official fix essential to maintaining perimeter integrity.

CVE-2026-24294 - 7.8 - Windows SMB Server Elevation of Privilege Vulnerability

Ben McCarthy, Lead Cyber Security Engineer, Immersive

The vulnerability identified as CVE-2026-24294 involves a flaw within the Windows Server Message Block (SMB) Server component. This specific issue is rooted in improper authentication, documented as CWE-287, which occurs when a system incorrectly verifies the identity of a user or process. In the context of the SMB server, which handles file sharing and network communication, the software fails to properly validate the claims of a local entity. This allows an attacker to masquerade as a more privileged account or bypass the intended authentication checks entirely during local communication with the SMB service.

The SMB server is a core system service that often runs with high-level permissions to manage file system access; an authentication failure here is particularly dangerous. An attacker already present on the system with low-level access can send specially crafted requests to the local SMB loopback interface. If the server incorrectly authenticates these requests as coming from a trusted or higher-privileged source, it will execute commands or grant access rights that the attacker should not possess.

This vulnerability is highly attractive to threat actors because it provides a reliable and direct path to SYSTEM privileges. While many exploits might only grant administrative rights, gaining SYSTEM status allows an attacker to operate at the highest possible level of authority within the Windows environment. This level of access is essential for deep system manipulation, such as tampering with kernel-level protections, accessing hardware directly, or harvesting credentials from the Local Security Authority Subsystem Service (LSASS).

From an attacker's perspective, the SMB server is an ideal target because it’s nearly always enabled and active on Windows systems. If a piece of malware gains a foothold through a low-privilege service, it can use CVE-2026-24294 to immediately escalate its capabilities without needing to trick a user into clicking a link or providing a password. This makes the vulnerability a prime candidate for inclusion in automated attack frameworks and advanced persistent threat (APT) toolkits, as it ensures a high success rate for total system takeover once a machine is initially compromised.

CVE-2026-24289 - 7.8 - Windows Kernel Elevation of Privilege Vulnerability CVE-2026-26132 - 7.8 - Windows Kernel Elevation of Privilege Vulnerability

Ben McCarthy, Lead Cyber Security Engineer, Immersive

The vulnerabilities relating to the kernel both show a critical memory corruption flaw. It’s specifically identified as a Use After Free (UAF) issue, classified under CWE-416. This error occurs when the kernel continues to use a pointer to a memory location that has already been deallocated. In a complex environment like the Windows Kernel, memory is constantly being allocated for objects and then released when those objects are no longer needed. If the system fails to nullify the pointer to that memory, it creates a dangling pointer that still refers to the old address.

The technical danger is that once memory is freed, the system is free to reuse that exact space for a completely different purpose. An attacker can use a technique called heap spraying or pool grooming to fill that newly freed space with their own malicious data. When the kernel subsequently attempts to use the dangling pointer, it unknowingly treats the attacker's data as a legitimate kernel object. Because the attack complexity is low, a threat actor can reliably trigger this condition to hijack the kernel's execution flow.

For a threat actor, a Windows Kernel vulnerability is the primary target for local exploits because the kernel controls the operating system. Therefore, any code executed in this context bypasses all standard security boundaries in the operating system.

Successful exploitation grants the attacker SYSTEM privileges, which is the highest level of authority available. This status surpasses even that of a local Administrator and allows an attacker to manipulate every process, read any file, and access the machine's raw memory. Once an attacker has kernel-level access, they can simply disable or bypass security tools such as antivirus and Endpoint Detection and Response agents. From the kernel's perspective, these security programs are just another set of instructions that can be modified or halted at will.

Kernel exploits also allow for the installation of rootkits that remain hidden from the operating system itself. By modifying the kernel's own reporting mechanisms, an attacker can ensure their presence is never detected by standard diagnostic tools. Since this exploit requires no user interaction and is low-complexity, it’s an ideal component for sophisticated malware that seeks to transform a simple, low-privileged infection into a total system takeover without alerting the user.

CVE-2026-21536 - 9.8 - Microsoft Devices Pricing Program Remote Code Execution Vulnerability

Ben McCarthy, Lead Cyber Security Engineer, Immersive

One of the first AI Agentic agents that have a CVE recognised and attributed to the Windows Operating system, this vulnerability was found by XBOW, the AI pen testing agent. This shows how AI agents can find critical 9.8-scoring vulnerabilities without access to source code. While it has already been patched and mitigated by Microsoft, it shows how we’re likely to be moving into AI agents finding complex vulnerabilities quicker than humans.

CVE-2026-25187 - 7.8 - Winlogon Elevation of Privilege Vulnerability

Jacob Ashdown, Cyber Security Engineer, Immersive

Microsoft’s March 2026 Patch Tuesday addresses CVE-2026-15187, an elevation of privilege vulnerability in Winlogon stemming from improper link resolution before file access (CWE-59). The flaw allows a locally authenticated attacker with low privileges to exploit a link-following condition in the Winlogon process to escalate to SYSTEM-level privileges. Rated Important with a CVSS of 7.8, the vulnerability requires no user interaction and has low attack complexity, making it a straightforward target for any attacker who already has a foothold on the system. While there is no evidence of public disclosure or active exploitation at this time, Microsoft rates it as “Exploitation More Likely” warranting prompt attention.

The affected systems are broad, spanning virtually all supported versions of Windows, from Windows 10 and 11 to Server 2012 through to 2025. Organizations should prioritize patching this vulnerability given the ease of exploitation and the critical nature of SYSTEM-level access it grants, particularly on servers and shared workstations.

If this vulnerability is exploited, an attacker gains complete access to the system, making it an attractive choice to place in an attack chain, potentially enabling them to achieve their next objective, such as moving laterally across the network or setting up a highly privileged rootkit.