)
)
Spring is in the air, and so is a fresh batch of Windows vulnerabilities. March 2026's Patch Tuesday brings no confirmed active exploitations, which is a welcome change of pace. But don't let that slow your patching cadence.
This month features a notification service memory leak that exposes session tokens, a pair of GDI bugs that chain into remote code execution, an accessibility flaw that grants SYSTEM privileges, and an SMB authentication bypass with echoes of WannaCry.
The common thread: input validation failures and trust assumptions that turn overlooked services into open doors.
For the full breakdown, listen to the Patch [FIX] Tuesday podcast.
CVE-2026-24282 [Important]
Push message routing service elevation of privilege vulnerability
CVE-2026-24282 (CVSS 5.5/10) targets the Windows Push Message Routing Service, the background process that handles notifications for email, chat, and app updates across Windows desktops and tablets. The root cause is an out-of-bounds read: the service fails to validate the length of incoming data, allowing a crafted request to read past the end of the push message buffer and into adjacent heap memory.
An attacker who already holds a low-privilege shell – through a compromised browser, malicious macro, or similar foothold – can send malformed requests to the service and capture leaked memory contents.
Because the Push Message Routing Service is constantly active and processing data from multiple apps, its heap is a target-rich environment.
Repeated scraping can yield cleartext session tokens, private keys, or other credentials stored in memory. A 5.5 CVSS score may not trigger urgency on its own, but those leaked credentials can turn a limited foothold into full account compromise.
Information disclosure is often the prerequisite for remote code execution – attackers use these leaks to defeat security features like ASLR and map out their next move.
How attackers may exploit this vulnerability
Send repeated malformed requests to the Push Message Routing Service, harvesting heap memory with each over-read to collect session tokens or encryption keys.
Use a stolen cleartext session token to impersonate a legitimate user, bypassing authentication on connected services without needing the user's password.
Chain the leaked private keys or tokens with lateral movement techniques to escalate from a single compromised endpoint to broader network access.
What to look out for
Unusual or repeated interactions with the Push Message Routing Service from non-standard processes.
Session token reuse or authentication events that don't match expected user behavior – a sign that harvested credentials are in play.
Unexpected memory access patterns on multi-user environments like RDS or Citrix servers, where the service handles notifications for many users simultaneously.
Mitigation guidance
Apply the Microsoft patch immediately. There is no workaround for this vulnerability beyond the official update.
Prioritize multi-user environments. Terminal servers, Citrix hosts, and shared Windows tablets carry higher risk because their notification services handle data for many users at once.
Monitor for abnormal service behavior. Flag unexpected crashes or high-frequency requests targeting the Push Message Routing Service in your endpoint detection tooling.
Rotate session tokens and credentials after patching, especially on systems where the service has been running unpatched for an extended period.
CVE-2026-25181 and CVE-2026-25190 [Important]
GDI+ information disclosure vulnerability and GDI remote code execution vulnerability
These two vulnerabilities are rated medium-severity on their own – CVE-2026-25181 at CVSS 7.5/10 and CVE-2026-25190 at CVSS 7.8/10. Chained together, they form a two-stage attack that bypasses a core Windows security feature and delivers remote code execution with near-total reliability.
The first link in the chain, CVE-2026-25181, targets GDI+ (Graphics Device Interface), the Windows component responsible for image rendering. It exploits a memory over-read triggered by a malicious metafile image.
The data it leaks defeats ASLR (Address Space Layout Randomization), the security feature that randomizes where programs and libraries load in memory each time a system boots. ASLR shuffles the deck of your computer's memory on every restart – an attacker might have a malicious DLL ready, but without knowing the layout, they can't place it correctly. CVE-2026-25181 reveals the card order.
The second link, CVE-2026-25190, is a GDI remote code execution vulnerability that exploits an untrusted search path flaw. Once an attacker maps the victim's memory layout using CVE-2026-25181, they craft a malicious DLL tuned to that specific layout. Delivered through a phishing email – a ZIP file containing a seemingly legitimate installer, for example – the DLL loads with near-100% reliability because the memory puzzle is already solved.
The precision required to pull this off suggests nation-state-level investment, but the payoff matches: clean, reliable remote code execution on the target system.
How attackers may exploit this vulnerability
Deliver a malicious metafile image through a compromised or malicious web page, triggering the GDI+ over-read (CVE-2026-25181) to map the victim's memory layout and defeat ASLR.
Send a phishing email with a ZIP attachment containing a malicious DLL calibrated to the victim's memory layout, achieving remote code execution through CVE-2026-25190.
Use the initial GDI+ information disclosure passively through browser-based image rendering, making the reconnaissance phase difficult to detect with traditional security alerts.
Combine with social engineering to convince users to open seemingly legitimate project files, installers, or updates contained in the ZIP payload.
What to look out for
Unexpected metafile or image processing activity in browsers or document viewers, particularly from untrusted sources.
DLL loading events from unusual paths – especially user-writable directories like Downloads or temp folders – following recent browser activity.
Phishing emails containing ZIP files with executables or installers, particularly targeting users who recently visited unfamiliar websites.
Mitigation guidance
Patch both CVE-2026-25181 and CVE-2026-25190 together. The information disclosure vulnerability enables the remote code execution vulnerability – patching only one leaves the attack chain partially intact.
Focus detection efforts on the second stage (CVE-2026-25190). The initial memory reconnaissance through GDI+ is difficult to distinguish from normal image rendering. DLL loads from untrusted paths and post-exploitation behavior are more detectable.
Block or quarantine ZIP attachments containing executables at the email gateway to disrupt the most likely delivery mechanism for the second stage.
Review endpoint detection rules for untrusted DLL loading patterns, and confirm ASLR enforcement is enabled across your environment as a defense-in-depth measure.
CVE-2026-24291 [Important]
Windows accessibility infrastructure elevation of privilege vulnerability
CVE-2026-24291 (CVSS 7.8/10) targets ATBroker.exe, the Windows Accessibility Infrastructure broker. The root cause is an incorrect permission assignment on a critical resource. A successful exploit grants the attacker SYSTEM privileges – the highest level of access on a Windows machine, above even administrator. SYSTEM is effectively the operating system itself.
What makes this flaw worth your attention is where it lives. Accessibility services run with elevated trust by design because they need deep interaction with the OS to function. That elevated trust also means they're rarely included on endpoint hardening checklists.
When did your IT team last audit the accessibility broker's permissions? Most haven't. This is a pattern worth tracking: services that operate with high trust and low scrutiny make ideal escalation targets.
An attacker only needs an initial foothold – a phishing email, a compromised low-privilege account – and then this flaw provides a direct path to SYSTEM. From there, they can disable security tools, dump credentials, and move laterally across your network.
How attackers may exploit this vulnerability
Gain initial access through phishing or credential compromise, then exploit ATBroker.exe to jump from a standard user account directly to SYSTEM privileges.
Use SYSTEM access to disable endpoint detection and response (EDR) tools, removing visibility before launching further attacks.
Dump cached credentials from the compromised endpoint and use them to move laterally across the network.
What to look out for
Unexpected process activity involving ATBroker.exe, especially if triggered by non-accessibility workflows or unfamiliar parent processes.
Security tools or services being disabled or modified on endpoints where accessibility features aren't actively in use.
Credential access events (such as LSASS memory reads) shortly following privilege escalation on a compromised endpoint.
Mitigation guidance
Apply the Microsoft patch as a priority. Local privilege escalation combined with any initial access vector makes this a high-value target for attackers.
Audit accessibility services in your environment. Identify which endpoints have ATBroker.exe running and whether those services are actively needed.
CVE-2026-24294 [Important]
Windows SMB server elevation of privilege vulnerability
CVE-2026-24294 (CVSS 7.8/10) targets the Windows SMB server, and Microsoft has flagged it as "exploitation more likely." The root cause is improper authentication – the SMB server isn't correctly verifying who is taking a given action.
A successful exploit grants SYSTEM privileges. SMB (Server Message Block) is the backbone of file and printer sharing across Windows networks, and it's network-facing by design. It's built to talk to other machines, which means the attack surface is wider than a purely local exploit. If SMB is reachable, attackers are interested.
The history here matters. EternalBlue, WannaCry, NotPetya – they all rode on SMB vulnerabilities. Those incidents caused some of the worst overnights in the industry. And yet, many environments still leave SMB wide open internally on the assumption that "it's only internal traffic." That assumption is exactly what attackers count on.
How attackers may exploit this vulnerability
Compromise a low-privilege account and authenticate to the SMB server legitimately, then exploit the authentication flaw to escalate to SYSTEM.
Leverage printer service accounts – especially scan-to-file accounts that authenticate over SMB – as an entry point. These service accounts are often over-provisioned with administrative roles.
Use SYSTEM access on the SMB server as a pivot point for lateral movement across file servers and network shares.
What to look out for
Unexpected authentication patterns on SMB servers, particularly from accounts that don't normally interact with file shares.
Service account activity outside of expected workflows – a scan-to-file account authenticating at odd hours or accessing unusual directories is a red flag.
Lateral movement indicators following SMB authentication events, such as new remote sessions or process creation on adjacent systems.
Mitigation guidance
Apply the patch and prioritize it. Microsoft's "exploitation more likely" rating and SMB's history make this one you should not defer.
Confirm that SMB version 1 is fully disabled in your environment. Every new SMB vulnerability is a good time to verify this.
Rotate and properly scope SMB service accounts, especially those used for printer scan-to-file functionality. An administrative service account on a printer is a gift to any attacker who gains network access.
Patch regularly, patch often
March's updates reinforce a theme that comes up every Patch Tuesday: don't ignore medium-severity vulnerabilities. A CVSS 5.5 memory leak and a pair of 7.5/7.8 GDI bugs look manageable in isolation. Chained together or combined with an initial foothold, they become full compromise paths.
The same applies to trusted services like accessibility infrastructure and internal protocols like SMB – the things you assume are safe are often the things attackers target first.
Patching is your first line of defense, but it works best alongside broader security hygiene. Audit your service accounts. Review which services run with elevated trust and whether they need to. Segment your network so that internal protocols aren't reachable from every corner. Train your users to spot phishing. And the next time you're triaging a Patch Tuesday update, give the mediums a second look. They're worth your time.
)
)