Tech Bytes Logo Tech Bytes
Home / Blog / Microsoft March 2026 Patch Tuesday
Zero-Day Windows Security March 27, 2026

Microsoft March 2026 Patch Tuesday: 79 CVEs, Two Actively Exploited Zero-Days

March's Patch Tuesday is the heaviest of 2026 so far — two zero-days in the Windows kernel and NTFS driver are being actively exploited in the wild. Every Windows developer machine and CI runner needs this update today.

Dillip Chowdary

Dillip Chowdary

Founder & AI Researcher • March 27, 2026 • 7 min read

March 2026 Patch Tuesday — By the Numbers

  • Total CVEs patched: 79
  • Critical severity: 11
  • Actively exploited zero-days: 2 (Windows kernel EoP + NTFS RCE)
  • Publicly disclosed (not yet exploited): 3
  • Products affected: Windows 10/11, Windows Server 2019–2025, .NET 8/9, Visual Studio 2022, Azure DevOps Server, Hyper-V

The Two Zero-Days: What Developers Need to Know

Zero-Day #1 — Windows Kernel Elevation of Privilege

The first zero-day is a privilege escalation vulnerability in the Windows kernel. An attacker who has gained low-privilege code execution on a machine — through a phishing payload, a compromised dependency, or any initial-access technique — can exploit this flaw to escalate to SYSTEM-level privileges. Microsoft confirmed it is being exploited by an advanced persistent threat (APT) actor in targeted attacks against enterprise environments.

  • Attack surface: Local — attacker requires code execution on the target machine first (standard EoP chain).
  • Impact: Full SYSTEM access — attacker can disable security tooling, dump credentials from LSASS, and establish persistent kernel-level implants.
  • Developer relevance: Developer machines running untrusted code (npm packages, pip packages, build scripts from forks) are a realistic initial-access vector for this exploit chain.
  • Affected: Windows 10 21H2+, Windows 11 all versions, Windows Server 2019–2025.

Zero-Day #2 — Windows NTFS Remote Code Execution

The second zero-day is more severe in scope: a remote code execution flaw in the Windows NTFS driver. Exploitation requires convincing a user to mount or preview a specially crafted virtual disk image — a scenario that is trivially achievable via email attachments, network shares, or malicious repositories containing .vhd / .vhdx files.

  • Attack vector: User interaction — mounting or previewing a malicious virtual disk image triggers the exploit.
  • Impact: Arbitrary code execution at the privilege level of the user mounting the disk.
  • Developer relevance: CI/CD pipelines that mount artifacts, VM images, or container layer tarballs as part of build/test workflows are a realistic attack surface. Developers who receive disk images in code review or testing contexts are also exposed.
  • Affected: All Windows versions with NTFS — including Windows Server 2025 used as build agents.

Critical CVEs Developer Environments Should Prioritize

CVE Component Type Severity Exploited
CVE-2026-24985 Windows Kernel EoP → SYSTEM CRITICAL Yes ✗
CVE-2026-24991 Windows NTFS RCE via disk image CRITICAL Yes ✗
CVE-2026-21406 Hyper-V Guest-to-host escape CRITICAL No
CVE-2026-24974 .NET 8 / .NET 9 RCE in XML parsing CRITICAL No
CVE-2026-21418 Visual Studio 2022 RCE via project file CRITICAL No
CVE-2026-24962 Azure DevOps Server Remote Code Execution CRITICAL No
CVE-2026-21390 Remote Desktop Services Pre-auth RCE CRITICAL No
CVE-2026-24948 Windows DNS Server RCE via malformed query IMPORTANT No

CVE-2026-21418: Visual Studio RCE — Developer-Specific Risk

CVE-2026-21418 deserves special attention for developers: a malicious .csproj, .sln, or .vcxproj file opened in Visual Studio 2022 can trigger code execution without any further user interaction. Malicious project files shared via GitHub PRs, code review tools, or repository forks are a plausible delivery mechanism — update Visual Studio before reviewing untrusted code.

Developer Patch Checklist

Apply in This Order — Today

  • 1. Windows Update on all dev machines — Settings → Windows Update → Check for updates. Both zero-days are patched via cumulative update.
  • 2. Update Visual Studio 2022 — Help → Check for Updates, or winget upgrade Microsoft.VisualStudio.2022.Community. Covers CVE-2026-21418.
  • 3. Update .NET SDK/Runtimewinget upgrade Microsoft.DotNet.SDK.9 and Microsoft.DotNet.SDK.8. Covers CVE-2026-24974.
  • 4. Patch Windows Server build agents — CI runners on Windows Server 2019/2022/2025 need the cumulative update applied and rebooted.
  • 5. Update Azure DevOps Server — if self-hosted, apply the March 2026 security update from MSRC. Covers CVE-2026-24962.
  • 6. Patch Hyper-V hosts — if running Windows-based VMs for local dev environments, CVE-2026-21406 (guest-to-host escape) requires host patching.

Quick update commands (run as admin):

# Install all pending Windows updates via PowerShell (requires PSWindowsUpdate) Install-Module PSWindowsUpdate -Force Get-WindowsUpdate -Install -AcceptAll -AutoReboot # Update .NET SDKs via winget winget upgrade Microsoft.DotNet.SDK.9 winget upgrade Microsoft.DotNet.SDK.8 # Update Visual Studio 2022 winget upgrade --id Microsoft.VisualStudio.2022.Community # Verify Windows update KB after reboot Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 5

CI/CD and Build Infrastructure Considerations

Windows-hosted CI runners are often deprioritized for patching because teams treat them as ephemeral — but persistent self-hosted runners on Windows Server are as exposed as any workstation. The NTFS zero-day (CVE-2026-24991) is particularly relevant here: if a build pipeline mounts disk images or processes container layer tarballs as part of artifact handling, a malicious image injected into the pipeline could trigger RCE on the build agent.

  • GitHub Actions self-hosted runners on Windows: Apply Windows Update before re-queuing jobs. Microsoft-hosted runners are already patched as of today.
  • Azure Pipelines self-hosted agents: Same — patch the host OS, reboot, reconnect the agent pool.
  • Jenkins on Windows: Patch both the controller and any Windows build nodes. The Azure DevOps Server CVE (CVE-2026-24962) may also affect self-hosted Jenkins via shared authentication integrations.
  • Docker Desktop on Windows: Relies on Hyper-V or WSL2 — patch the host Windows to close the Hyper-V guest-escape (CVE-2026-21406) before resuming container-based development.

March 2026 in Context: Patch Tuesday Trend

March 2026's 79-CVE count is the highest Patch Tuesday volume since November 2025 (84 CVEs) and continues a trend of elevated monthly patch loads driven by AI-assisted vulnerability research. Security teams using LLM-based code analysis are discovering vulnerability classes in Windows components that manual review missed — the pace of disclosure is accelerating faster than enterprise patch cycles can absorb.

  • Jan 2026: 62 CVEs (3 Critical)
  • Feb 2026: 71 CVEs (5 Critical, 1 zero-day)
  • Mar 2026: 79 CVEs (11 Critical, 2 zero-days) ← today

The cadence reinforces the case for automated patch management — relying on manual update cycles for developer workstations creates an expanding window of exposure between each Patch Tuesday.

BleepingComputer: Full March 2026 Patch Tuesday breakdown →

Microsoft Security Response Center — Update Guide →

Share this alert:

🛡️ Stay Patched, Stay Secure

Monthly Patch Tuesday roundups and daily security alerts for developers.