March 2026's Patch Tuesday brings no active exploitations, but don't let that fool you. This month, Ryan Braunstein and Henry Smith break down why medium-severity vulnerabilities deserve your full attention.First up: a Push Message Routing Service memory leak (CVE-2026-24282, CVSS 5.5) that lets attackers scrape session tokens and private keys from heap memory. Then, a pair of GDI bugs (CVE-2026-25181 and CVE-2026-25190) that chain together to defeat ASLR and deliver remote code execution with near-perfect reliability. Henry covers a Windows Accessibility Infrastructure flaw (CVE-2026-24291) hiding in a service most teams never think to harden, plus an SMB authentication bypass (CVE-2026-24294) that echoes EternalBlue and WannaCry.What you'll learn:- How attackers chain medium-severity bugs into full compromise paths- Why the Push Message Routing Service is a target-rich environment for credential theft- How a two-stage GDI exploit defeats ASLR with near-100% reliability- Why accessibility services are blind spots on your hardening checklists- What SMB's history with EternalBlue and WannaCry means for this month's auth bypassPatch your systems. Audit your service accounts. Don't skip the mediums.