← Back to Security Blog
Security Briefing 8 min read

Microsoft Patches 4 Zero-Days in March 2026 Patch Tuesday

Microsoft's March 2026 Patch Tuesday addresses 67 vulnerabilities including 4 actively exploited zero-days affecting Windows kernel, NTFS, and Microsoft Management Console. Immediate patching critical.


Patch Tuesday Overview

Microsoft's March 2026 Patch Tuesday resolves 67 vulnerabilities across Windows, Office, Azure, and .NET. Four of these are actively exploited zero-days that require immediate attention.

⚠️ 4 Zero-Days Under Active Exploitation

CISA has added all four to the Known Exploited Vulnerabilities (KEV) catalog. Federal agencies must patch within 21 days; all organizations should treat as emergency.


Zero-Day Vulnerabilities

CVEComponentCVSSImpact
CVE-2026-24983Windows Win32 Kernel Subsystem7.8Elevation of Privilege — local attacker gains SYSTEM
CVE-2026-24984Windows NTFS4.6Information Disclosure — sensitive data via USB
CVE-2026-24985Windows Fast FAT File System6.8Remote Code Execution via malicious VHD
CVE-2026-24993Microsoft Management Console7.8Remote Code Execution via crafted .msc file

Detailed Analysis

CVE-2026-24983 — Windows Kernel EoP (CVSS 7.8)

A use-after-free vulnerability in the Win32 kernel subsystem allows a local attacker to escalate privileges to SYSTEM. This is being used as part of post-compromise chains — once an attacker has initial access, they exploit this flaw to gain full system control.

CVE-2026-24984 — NTFS Information Disclosure (CVSS 4.6)

While lower severity, this NTFS flaw allows an attacker with physical access to read heap memory via a crafted USB device. This has been observed targeting high-value individuals in espionage campaigns.

CVE-2026-24985 — Fast FAT RCE (CVSS 6.8)

A maliciously crafted VHD file triggers a heap-based buffer overflow in the Fast FAT driver. Simply mounting the file can execute arbitrary code. Attack vector: email attachments or compromised file shares.

CVE-2026-24993 — MMC RCE (CVSS 7.8)

A specially crafted .msc file sent via email or hosted on a malicious website can execute arbitrary code when opened. Social engineering is the primary delivery mechanism — attackers send these as "IT admin tools" or "system configuration files."


Full Patch Summary

SeverityCount
Critical7
Important57
Moderate3

Recommended Actions

  1. Emergency patch: Deploy all four zero-day fixes within 24 hours
  2. Block .msc files: Add .msc to email attachment blocking rules
  3. Restrict VHD mounting: Limit auto-mount capabilities via Group Policy
  4. USB device control: Implement endpoint USB device whitelisting
  5. Monitor for exploitation: Watch for unusual kernel driver loading and privilege escalation events

Protect Your Organization with Kensai

AI-powered vulnerability management with 331,910+ CVEs indexed.

Start Free Trial

Stay secure. Stay vigilant.

🗡️ KENSAI Security Team

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →