Microsoft Patches 84 Flaws in March Patch Tuesday,

What Happened

Microsoft’s March 2026 Patch Tuesday addressed a significant batch of security vulnerabilities across its ecosystem. The company released patches for 84 new flaws in its core software, with an additional 9 vulnerabilities patched in the Chromium-based Microsoft Edge browser, bringing the total to 93. Among these, eight vulnerabilities are rated Critical. Crucially, two of the flaws were publicly known and exploited as zero-days prior to the release of patches. A separate update, KB5078885, was issued for Windows 10 Extended Security Updates (ESU) to remediate these issues, including a separate bug that was preventing some devices from shutting down properly.

Why It Matters

The presence of two publicly known, exploited zero-days elevates this patch cycle from routine maintenance to an urgent security event. These flaws were actively being used in attacks before a fix was available, meaning unpatched systems are immediately vulnerable to compromise. The breadth of affected components - spanning Windows, Edge, and other Microsoft products - creates a wide attack surface that threat actors can probe. For organizations relying on Windows 10 ESU, this update is a critical lifeline, as these systems are often in legacy or sensitive environments where risk is already heightened. Delaying deployment directly increases the likelihood of a successful breach.

Technical Details

While specific CVE identifiers were not provided in the correlated intelligence, the technical scope is clear. The eight Critical-rated vulnerabilities typically allow for remote code execution (RCE) or elevation of privilege, often without requiring user interaction. The two zero-days being “publicly known” indicates their exploit details or proof-of-concept code may be circulating, lowering the barrier for additional threat actors to weaponize them. The Edge-specific patches are inherited from the upstream Chromium project, addressing vulnerabilities in the web rendering engine that are common vectors for drive-by download attacks. The separate shutdown bug in the Windows 10 ESU update, while likely less severe, underscores the operational impact of this release cycle.

Immediate Risk

The immediate risk is HIGH. Systems running unpatched Microsoft software, particularly those with internet-facing services or user browsing activity via Edge, are susceptible to exploitation. The two zero-days represent the most acute threat, as adversaries have a head start. Organizations using Windows 10 under the ESU program must apply KB5078885 promptly, as these systems no longer receive standard security updates and are therefore high-value targets. The inclusion of Critical RCE flaws means network propagation and widespread compromise are possible outcomes for delayed patching.

Security Insight

This Patch Tuesday underscores the non-negotiable priority of rapid vulnerability management, especially for publicly exploited flaws. Security teams should deprioritize testing for the two zero-day patches and deploy them immediately, leveraging emergency change procedures if necessary. For the broader set of patches, a risk-based approach is key: prioritize Critical RCE updates for internet-facing systems and client workstations. Furthermore, the Edge updates highlight the importance of maintaining browser security independently of the OS patch cycle; ensure browser update mechanisms are functional. For ESU customers, this event is a stark reminder of the increasing security debt and operational risk inherent in maintaining legacy, out-of-support platforms.