Office 2026 CVEs 26110 26113 Patch Tuesday: Patch Now for Preview Pane RCE

Microsoft shipped fixes for two recently disclosed critical Microsoft Office vulnerabilities—CVE‑2026‑26110 and CVE‑2026‑26113—that can lead to arbitrary code execution when a crafted file is processed locally, and defenders should treat these updates as high priority because the Outlook and File Explorer preview/preview‑pane functionality can trigger the flaws without the user opening the file directly.

Background / Overview​

Microsoft’s March 2026 Patch Tuesday bundle closes a short but dangerous window for attackers who can combine remote delivery (for example, email attachments or files shared via cloud links) with local processing that causes vulnerable Office code to run. The vendor’s published advisories and multiple independent patch‑analysis firms show both CVE‑2026‑26110 and CVE‑2026‑26113 are classified as Remote Code Execution (RCE) in impn mechanics that require local execution of the crafted content.
That distinction—remote delivery, local execution—is an operational nuance that routinely causes confusion, so it’s worth spelling out plainly: an attacker can send a malicious Office file from anywhere, but the exploit triggers when Office parses or renders the file on the recipient’s machine. Because Outlook’s Preview Pane and File Explorer preview handlers invoke Office parsing code without a full double‑click or an explicit “Enable Macros” decision, those UI conveniences are legitimate attack vectors. Several security vendors who reviewed the March 2026 rollup call out preview‑pane exploitation specifically for these two Office CVEs.
Microsoft has published updates for all supported Office channels; systems still running unsupported products (for example, Office 2013) will not receive these fixes and therefore remain vulnerable unless the product is upgraded. Microsoft’s lifecycle documentation confirms Office 2013 reached end of support and no longer receives security updates.

---

What the CVEs actually say (technical summary)​

CVE‑2026‑26113 — memory pointer handling, RCE via preview​

• Public bulletin/analysis from multiple vendors characterizes CVE‑2026‑26113 as a memory‑corruption / untrusted pointer dereference condition in Microsoft Office that can be weaponized for remote code execution when a specially crafted file is parsed. The flaw has been called critical by Microsoft and security researchers and carries a high CVSS base score in vendor writeups.
• The practical exploit chain reported by analysts shows a remote sender can deliver the malicious document, and the victim’s local Office process will parse (or render) the file—possibly in the Outlook Preview Pane or Explorer preview—causing the vulnerable code path to execute attacker‑controlled payloads.

CVE‑2026‑26110 — local parsing trntext​

• CVE‑2026‑26110 is likewise described by Microsoft and third‑party trackers as a remote code execution issue that requires the target machine to process a crafted Office file locally. Public advisories list it among the critical Office fixes in March 2026 and note the same preview‑pane exposure.
• The common operational takeaway for both CVEs: the attack vector is “remote delivery / local execution.” That’s functionally equivalent to receiving a malicious file over email or cloud share and having the system process it in a way that invokes Office document parsing. Practical exploitation does not necessarily need macros or user prompts.

---

Why this matters to you (threat model and real‑world risk)​

There are three practical reasons to treat these patches as urgent:

• Preview panes are ubiquitous. Millions of users rely on Outlook’s reading pane and Explorer’s preview for productivity; that same convenience can execute document parsing code without the user fully “opening” the file. Several independent advisories explicitly flag the preview pane as a viable attack vector for these CVEs.
• Remote delivery is trivial for attackers. Sending a weaponized attachment or a link to a crafted file is a common, low‑cost tactic used by widespread phishing campaigns. Because exploitation depends on local processing rather than authentication or privilege escalation, successful attacks commonly run in the context of the logged‑on user and can steal data or drop further payloads.
• Legacy and unmanaged systems remain exposed. Organizations and individuals still running end‑of‑life Office versions will not receive these fixes. Microsoft’s lifecycle calendar shows Office 2013 reached end of support in April 2023; systems that weren’t upgraded or migrated are unlikely to be protected unless they are replaced or removed from sensitive networks.

Taken together, that means a moderately skilled attacker can craft a plausible phishing message, rely on a default preview‑pane behavior to trigger the vulnerability, an with user‑level privileges—sufficient to steal documents, persist via scheduled tasks or user‑level autostart, or attempt privilege escalation with follow‑on bugs. Vendor analysis of the March rollup marked these Office entries among the higher‑priority critical fixes in that cycle.

---

Strengths of Microsoft’s response — what they did well​

• Rapid, cross‑channel patches: Microsoft included fixes for these Office flaws in the March 2026 security release and made updates available across supported Office servicing channels. Independent patch trackers and vendors corroborated the presence of KBs and update packages in the monthly rollup.
• Clear operational messaging on the RCE vs local nuance: Microsoft’s advisory language and community guidance have increasingly emphasized the “remote delivery / local execution” pattern, which helps defenders triage risk more effectively when the CVSS Attack Vector is AV:L but the impact is RCE. That nuance is critical for accurate incide prioritization.
• Multiple mitigations available: while the vendor’s patch is the authoritative fix, Microsoft and security vendors documented practical mitigations (disable preview handlers, enforce Protected View, or restrict ActiveX/legacy handlers) that administrators can use as temporary risk‑reduction steps until updates are applied.

---

Where the approach still falls short (risks and gaps)​

• UI features as attack surfaces: Preview panes and convenience‑oriented handlers are still deeply integrated into Windows usability and productivity workflows. Protecting those surfaces without disrupting work is hard, and blanket mitigations (disable preview) are often unacceptable in high‑productivity environments.
• Messaging friction: The difference between a CVE title that says “Remote Code Execution” and a CVSS Attack Vector of AV:L (Local) will continue to confuse non‑specialist administrators and many end users. That confusion can delay patching or result in the wrong mitigations being applied. Independent community guidance and vendor writeups have tried to close this gap, but defenders still need to translate the nuance into concrete operational checks.
• Unsupported products left behind: Organizations still running Office 2013 (or other end‑of‑life clients) must be explicitly identified and remediated because they will not receive vendor patches; migration is the only real fix for those hosts. Microsoft’s lifecycle documents show Office 2013 reached end of support on April 11, 2023.

---

Practical mitigation checklist — immediate steps for home users​

If you’re a home user or a small office administrator, follow these steps right now:

• Install updates
• Open Settings → Windows Update (or Office Update in the Office account menu) and install all available Office and Windows updates immediately. Microsoft’s March 2026 rollup contains the fixes; apply them and reboot if required. Multiple patch analysts confirm the CVEs were included in the March release.
• Temporarily disable the Outlook reading (Preview) pane
• In Outlook: View → Reading Pane → Off. This prevents Outlook from automatically parsing attachments for preview. Several advisories list the preview pane as a practical attack vector.
• Turn off File Explorer preview pane for risky file types
• In File Explorer: View → Show → Preview Pane (toggle off). If you need previews, consider only enabling them for trusted directories or files you have scanned.
• Harden Office Protected View and Trust Center
• In Word/Excel/PowerPoint: File → Options → Trust Center → Trust Center Settings → Protected View — ensure “Enable Protected View for files originating from the internet” is enabled, and consider restricting other settings temporarily.
• Don’t rely on macros or prompts as the only defense
• These CVEs do not require the user to enable macros; therefore, simply blocking macros is not a comprehensive mitigation. Treat attachments from untrusted senders as potential code execution vectors regardless of macro settings.
• If you can’t patch: isolate the host
• If an affected machine can’t be updated immediately (for example, older unmanaged laptops running EOL Office), consider removing network access to sensitive shares, restricting email attachments to an intermediary sandbox, or decommissioning the host. Unsupported Office versions will not receive these security fixes.

---

Enterprise guidance — prioritized actions for IT and security teams​

• Patch fast, test faster: Move the Office updates into your usual deployment pipelines—WSUS, Configuration Manager, Intune/Endpoint Manager—and expedite pilot testing in a small ring before broad rollout. Treat the Office fixes among the highest priority items in the March 2026 update cycle. Vendor analyses and patch trackers flagged these CVEs as critical in that update.
• Consider temporary UI mitigations
• Disable Preview Pane handlers centrally via Group Policy where feasible.
• Restrict file preview handler registration for Office file types using administrative templates or configuration profiles.
• Note: such mitigations reduce exposure but may require end‑user communication and temporary process changes.
• Use detection and EDR controls
• Create telemetry and hunting queries for suspicious Office document parsing and unusual child processes launched from Outlook/Office binaries.
• Monitor for process injection, anomalous network connections from Office processes, and persistence artifacts created by user‑context malware. Several vendor writeups recommend post‑patch telemetry checks and endpoint hunting.
• Harden inbound mailflow
• Leverage email gateway controls to strip or quarantine suspicious attachments and use sandbox detonation for unknown or high‑risk documents.
• Consider converting Office attachments to safe formats or requiring employees to download and scan attachments into a quarantined environment before viewing.
• Identify legacy estate and remediate
• Inventory Office versions across your estate and flag Office 2013 or other EOL clients for immediate remediation plans. Microsoft’s lifecycle guidance documents list Office 2013 end‑of‑support dates and the implications of running unsupported clients.

---

How to verify the patch landed (quick sanity checks)​

• Check Windows Updatpdate history for March 10–11, 2026 entries corresponding to Office security updates.
• For managed environments, confirm KB package deployment status in WSUS / ConfigMgr reports and Intune device update status.
• Use endpoint inventory tools to verify Office build numbers match vendor guidance in the March release notes and Security Update Guide; independent patch trackers list the affected CVEs and which build revisions contain the fixes.

If you apply the updates but still see preview failures, remember that disabling preview handlers or toggling Protected View can change the observed behavior; validate both the security fix and the UI configuration together.

---

Tactical detection tips (what to hunt for)​

• Suspicious Office process activity:
• Office processes (winword.exe, excel.exe, outlook.exe) spawning unusual child processes or invoking cmd/powershell scripts in the context of user sessions.
• Uncommon DLL loads into Office process memory, especially from %TEMP% or user profile locations.
• Network indicators:
• Document‑associated callback domains or post‑exploitation C2 traffic originating from user devices shortly after receiving suspicious attachments.
• Persistence patterns:
• New scheduled tasks, shortcut files in startup locations, or Office add‑ins installed without administrative approval.

Implement these hunts in your SIEM/EDR and correlate with mail gateway and web proxy logs to trace initial delivery vectors.

---

Critical analysis — strengths, trade‑offs, and long‑term risk​

Microsoft patched quickly and the coordinated vendor ecosystem amplified the alerting. That’s an operational win: the fixes were included in the March 2026 Patch Tuesday and independent security vendors documented the preview‑pane attack surface so administrators could adopt short‑term mitigations.
However, the recurring pattern—remote delivery, local execution—keeps showing up in Office bugs because Office continues to ocument formats and complex parsing stacks. Those stacks are fertile ground for memory‑safety issues that crop up as critical bugs. Until Office is rearchitected to eliminate unsafe parsing from non‑interactive surfaces, similar issues will reappear. The reality for defenders is that UI convenience features (preview, inline rendering) are high‑value attack vectors and should be treated as such in risk models.
There’s also a human factor cost: many organizations remain slow to deploy updates, and end users often expect to “set and forget” updates. For a vulnerability class that can be triggered by simply viewing an email, delayed patching is particularly dangerous. Finally, older Office clients that have reached end of life present a chronic, avoidable risk—patches won’t help those machines, so migration planning must be part of security strategy.

---

Short‑term checklist (one page quick action plan)​

• Patch Office and Windows immediately (apply March 2026 updates).
• Disable Outlook and Explorer preview panes until the estate is patched.
• Enforce Protected View for files from the internet and untrusted locations.
• Hunt with EDR for Office parent/child anomalies and artifacted persistence.
• Inventory and remediate EOL Office clients (Office 2013 and similar).

---

Final verdict — what readers should do next​

This is not an academic bulletin: these Office bugs are practical and exploitable through everyday user behavior like viewing email previews. If you run supported Office builds, install the March 2026 updates today and confirm they applied. If you have any devices running Office 2013 or other unsupported clients, treat those systems as high risk—either isolate and replace them or remove them from sensitive networks immediately. Microsoft’s advisory and multiple independent vendors all point to the same operational risk and the same basic mitigations: patch, reduce attack surfaces (preview panes), and hunt for suspicious post‑delivery activity.
The convenience of preview panes is real, but in this case that convenience is a wedge an attacker can use to open a door. Close that door until your updates are in place—patch first, re‑enable second.
Conclusion: apply the Office updates from March 10–11, 2026 without delay, disable automatic preview parsing until verification is complete, and make legacy Office removal a prioritized project in your security roadmap.

---

Source: Windows Central Don't ignore these 'local' Office patches — your PC is at risk