March 2026 [SMB Is Back and ASLR Gets Shuffled]

CVE-2026-24294 (CVSS 7.8) is an improper authentication flaw in the Windows SMB server that grants SYSTEM. SMB is network-facing by design, so the attack surface is wider than a local-only exploit. EternalBlue, WannaCry, and NotPetya all rode on SMB.

CVE-2026-24282 (CVSS 5.5) is an out-of-bounds read in the Windows Push Message Routing Service. Repeated malformed requests scrape adjacent heap memory for cleartext session tokens and private keys, turning a low-privilege foothold into account compromise.

CVE-2026-25181 (CVSS 7.5) and CVE-2026-25190 (CVSS 7.8) chain together: the GDI+ over-read leaks memory layout to defeat ASLR, then a malicious DLL tuned to that layout loads with near-100% reliability for remote code execution. Patch both.

CVE-2026-24291 (CVSS 7.8) targets ATBroker.exe, the Windows Accessibility Infrastructure broker. An incorrect permission assignment lets an attacker with an initial foothold escalate directly to SYSTEM, the highest access level on a Windows machine, above administrator.

Printer scan-to-file service accounts authenticate over SMB and are often over-provisioned with administrative roles. Ryan's guidance after patching is to rotate those credentials and scope the accounts to only the folders they need.