Urgent Office Patch: Fix CVE-2026-26110 and CVE-2026-26113 Now

Microsoft has released patches for two newly disclosed critical vulnerabilities in Microsoft Office—tracked as CVE-2026-26110 and CVE-2026-26113—and administrators and everyday users should treat the update as urgent: both flaws allow remote code execution in the context of the current user and were included in Microsoft’s March 2026 Patch Tuesday rollup; fixes are available now through Microsoft Update and the usual enterprise update channels. ([bleepingcomputer.cngcomputer.com/news/microsoft/microsoft-march-2026-patch-tuesday-fixes-2-zero-days-79-flaws/)

Background / Overview​

Microsoft’s March 2026 Patch Tuesday closed out a large set of issues across Windows, Office, and related products. Security researchers and industry vendors flagged two Office vulnerabilities as particularly serious because they allow execution of arbitrary code when a user’s system processes a malicious Office document—commonly through the file preview and rendering mechanisms many users rely on. Multiple security outlets and vendor advisories summarizing the March release describe the pair—CVE-2026-26110 and CVE-2026-26113—as critical remote code execution (RCE) flaws with high base scores (reported at CVSS 8.4), and Microsoft has published updates to remediate them.
Those two CVEs sit alongside several other important fixes issued on March 10–11, 2026; for defenders this month’s release is another reminder that Office-format weaponized documents remain a high-probability attack vector and that patching Office is no longer an optional maintenance chore.

---

What the two Office flaws are (technical summary)​

CVE‑2026‑26110 — Type confusion in Office rendering​

• What it is: Reported as a type confusion defect inside Office’s document processing code. Type confusion occurs when code treats data as one type while it is actually another—an error that attackers can manipulate to corrupt memory, overwrite control structures, and ultimately redirect execution to attacker-controlled code.
• Impact: Results in remote code execution in the context of the logged-in user if a specially crafted file is processed by Office components.
• Reported severity: CVSS base score reported around 8.4 (Critical) in public security rundowns.

CVE‑2026‑26113 — Untrusted pointer dereference / improper memory handling​

• What it is: Described as an untrusted pointer dereference vulnerability where Office improperly handles pointers derived from crafted input. In practice this can lead to memory corruption and execution of arbitrary instructions.
• Impact: Also enables code execution as the current user and is treated as critical by Microsoft and multiple security vendors.
• Reported severity: Public reporting lists a CVSS base score of 8.4 for this issue as well.

Both bugs target core document parsing and rendering pathways that run when Office previews or opens files. That means an attacker’s weaponized document can be delivered through familiar channels—email attachments, shared network folders, or cloud-synced files—and in many scenarios will be processed before an explicit “open” action from the user. Several post-release write-ups and advisories therefore emphasize the connection between delivery (remote) and trigger (local processing).
I should note an important nuance that has generated confusion among defenders: Microsoft’s advisory text and the published CVSS vectors sometimes list the Attack Vector as Local (AV:L) while technical descriptions and vendor analyses refer to exploitation via the Preview Pane and other remote delivery methods. That apparent contradiction is a practical one: the vulnerable code executes locally, but an attacker can often cause that local processing by remotely delivering a file that a preview pane or similar facility will render—effectively creating a remote delivery with a local trigger scenario. Security teams should treat these as real RCE risks even if a CVSS label reads AV:L.

---

Who and what is affected​

• Product families listed in vendor summaries and vulnerability feeds include: Microsoft 365 Apps (Click‑to‑Run), Office 2016, Office 2019, Office 2021, Office LTSC / 2024, and Office for macOS variants in the corresponding LTSC/current lines. Some server-side products that parse Office content—such as on‑premises SharePoint—are also referenced in aggregated advisories.
• Important lifecycle note: Microsoft no longer issues security updates for versions that have reached end of support. Customers still running Office 2013 (already end‑of‑life) or Office 2016/2019 after their announced EOS dates should plan upgrades—Microsoft ended support for Office 2016 and Office 2019 on October 14, 2025, which means those specific builds no longer receive security fixes beyond that date unless covered by special extended arrangements. If you have unmanaged legacy Office installs, they present a larger and unpatched attack surface.
• Attack complexity and prerequisites: Public reporting stresses that the flaws enable code execution in the context of the user—but the attacker typically needs to get a crafted file onto the target machine or get it processed by a preview or rendering function. That can be done via email, web delivery, shared storage, or malicious attachments; in some cases the exploit path can be zero-click when a preview pane automatically renders the malicious document.

---

Why this matters: risk scenarios and historical context​

Office‑format RCEs are a perennial favourite for attackers. The combination of ubiquity (Office is installed across millions of endpoints), user acceptance (people open attachments), and rich document processing (features like embedded objects, previews, macros, and OLE) gives attackers multiple public-facing attack surfaces.

• Realistic exploitation paths:
• Targeted phishing: attacker sends a crafted document to a user; Office preview or viewing triggers the exploit before the user actively opens the file.
• Shared-storage compromise: attacker drops a malicious file in a shared drive that an employee’s machine auto-previews.
• Supply-chain/document distribution: a malicious file distributed via collaboration platforms or shared repositories reaches users who rely on the preview pane.
• Historical analogies: past Office RCEs—Equation Editor bugs, the Follina MSHTML issues, and other widely exploited defects—have repeatedly shown how a single Office parsing flaw can power large campaigns and provide initial access for ransomware and espionage. Microsoft and multiple security agencies have warned repeatedly that Office remains a high-probability vector. The new vulnerabilities fit that pattern and therefore deserve aggressive mitigation.

---

Patching and mitigation: practical guidance for users and admins​

Microsoft has released updates to remediate both CVE‑2026‑26110 and CVE‑2026‑26113. The following steps prioritize speed and safety for different environments.

Immediate actions (apply within 24–72 hours for most users)​

• Apply Microsoft’s security updates via Windows Update, Microsoft Update Catalog, or your enterprise management tools (SCCM/ConfigMgr, WSUS, Intune). For Click‑to‑Run installs, ensure Microsoft 365 Apps auto-update is enabled or run updates from within an Office application (File → Account → Update Options → Update Now).
• For servers or systems that cannot be patched immediately, implement temporary mitigations (see below) and create a prioritized patch schedule.
• Verify deployment success: use vulnerability scanning tools and inventory to confirm affected Office versions were updated. Many vendors published Patch Tuesday advisories summarizing which KBs and builds remediate each CVE—consume those vendor mappings and correlate with your asset inventory.

If you cannot patch immediately (temporary mitigations)​

• Disable the Preview Pane in Outlook and File Explorer. Many exploitation scenarios rely on automatic rendering via preview panes; disabling them reduces exposure until patches are applied. Security vendors and patch summaries have included this as a recommended stopgap.
• Open suspicious documents only in Protected View or on hardened sandboxes (isolated VMs). Encourage users to save then scan rather than relying on previews.
• Block or quarantine high‑risk file types at mail gateways if possible (for example, block inbound Office documents from unknown senders or use advanced attachment scanning).
• Enforce least privilege: limit user accounts so that Office runs in the lowest privilege context feasible; minimize local admin rights.
• Application control: use AppLocker or similar allowlisting to prevent unknown code execution pathways and reduce lateral movement risk.
• Endpoint detection: ensure EDR/AV solutions have the latest signatures and behavioral detections in place; monitor for anomalous Office host process behavior.

These mitigations are standard in vendor advisories for Office RCEs and are explicitly recommended when an organization must delay a patch rollout.

---

Enterprise deployment guidance: test, stage, monitor​

Large organizations should follow robust patch‑management discipline to avoid regressions while ensuring fast remediation.

• Inventory and prioritize:
• Map which endpoints run which Office channels (Click‑to‑Run vs MSI), LTSC builds, or macOS equivalents.
• Prioritize high‑exposure targets (email servers, users with Outlook preview enabled, high‑privilege accounts).
• Test before wide rollout:
• Deploy patches to a pilot group that mirrors production (different channels, add‑ins) to catch compatibility problems wit
• Staged rollout:
• Use staggered deployment windows: pilot → critical groups → rest of organization.
• Maintain rollback plans and backups in case of unexpected issues.
• Detection and response:
• Tune EDR to detect suspicious Office process hooks, unusual child process creation, and memory‑corruption exploitation attempts.
• After patching, hunt for indicators of compromise from the period before updates were applied—mail gateway logs, file server logs, and unusual authentication patterns.
• Communication:
• Notify end users about the patch, explain temporary mitigations (don’t use preview panes for unknown emails), and provide instructions for prompting updates if necessary.

Industry write-ups and patch tools from vendors like Tenable, CrowdStrike, and action‑oriented blogs emphasize that while speed is critical, hasty, untested rollouts can break integrations; staged policies with active monitoring strike the right balance.

---

The paradox of "local" vs "remote" in practice — an operational note​

Security scoring and disclosure frameworks use precise terminology: Attack Vector: Local (AV:L) means the vulnerable code runs locally on the machine. That label can miss the operational reality for defenders because many modern convenience features (preview panes, thumbnail generators, server‑side document handlers) cause local code to run as a direct result of remote delivery.
This is not an abstract quibble: if you rely on CVSS Attack Vector alone to prioritize, you might deprioritize an “AV:L” fix while attackers exploit the same pathway by simply sending a file that the victim’s client previews automatically. In March 2026’s Office fixes this distinction mattered enough that multiple vendors flagged the discrepancy and advised defenders to treat the Office RCEs as immediate, actionable risks.

---

What defenders should monitor after patching​

• Unusual Office process behavior: Office apps spawning unexpected child processes or loading code modules they shouldn’t.
• New account or service creation: attackers leveraging Office as an initial access vector often attempt persistence quickly.
• Outbound traffic to unknown hosts following Office process activity; this can indicate C2 communication initiated after successful exploitation.
• Mail gateway logs showing known malicious attachments, repeated deliveries of Office documents from untrusted domains, and spikes in preview pane render failures or crashes.

Set up hunts and automated alerts for these behaviors and prioritize investigation of any signs that correlate with the pre-patch window.

---

Strengths and limitations of Microsoft’s response​

• Strengths:
• Microsoft released vendor updates and mapped the CVEs into its March 2026 rollup, making patches widely available through standard channels.
• The company and ecosystem vendors quickly published mitigation guidance (e.g., disabling preview panes), and security vendors produced playbooks and scanning checks to identify vulnerable installs—this coordinated coverage reduces time-to-remediation for defenders.
• Limitations and risks:
• The local vs remote labeling mismatch can cause triage confusion; organizations that rigidly rely on CVSS AV: values might misprioritize risk.
• Legacy Office versions that have reached end of support represent unfixable holes for many organizations that delay upgrades—those systems require compensating controls if migration is not immediate. Microsoft ended support for Office 2016 and Office 2019 on October 14, 2025, so any environment still running those versions after that date is at materially greater risk.
• Patching Office in large, heterogeneous estates (mix of Click‑to‑Run, MSI, macOS, and server components) is operationaltory or fractured update processes slow remediation and increase exposure time. Security teams must invest in accurate discovery and controlled deployment tooling.

---

Checklist: What to do right now​

• Confirm which Office builds and channels your organization uses.
• Apply Microsoft’s March 2026 Office security updates immediately via your standard deployment tooling.
• If you cannot patch immediately:
• Disable preview panes in Outlook and File Explorer.
• Require Protected View for documents from the internet.
• Block risky attachments at the gateway and restrict execution of Office-related macros.
• Scan for and remediate any suspicious activity from the pre-patch period (mail logs, endpoint telemetry).
• Accelerate upgrades off end‑of‑life Office products; do not rely on unsupported software for business‑critical endpoints.

---

Final analysis — why this matters beyond the immediate patch​

Two newly patched Office vulnerabilities may look like another entry in Patch Tuesday’s inventory, but their characteristics underline a few persistent truths:

• Office is a primary attack surface and will stay that way because of its ubiquity and the convenience features that make exploitation easier (preview panes, embedded content).
• The operational reality of exploitation (remote delivery, local execution) blurs label-driven triage; defenders must adopt a posture that assumes remote-delivery-with-local-trigger is possible whenever document rendering is involved.
• Patching windows matter. The industry’s speed in publishing advisory material this month is good, but the real measure is how quickly organizations translate that guidance into applied controls. For many teams the hard part isn’t knowing there is a patch—it’s deploying it safely and verifying remediation across a real-world fleet.

Patches exist, the mitigations are straightforward, and the attack surface is well‑understood—so there is no excuse for not acting quickly. Disable preview panes for high‑risk users, prioritize remediation for exposed machines, and move any unsupported Office installs off the network or into tightly controlled, monitored segments. The Office ecosystem will keep changing, but the defense playbook remains consistent: patch fast, reduce the attack surface, and look for the telltale signs of exploitation so you can respond if an attacker got there first.

---

Microsoft has fixed CVE‑2026‑26110 and CVE‑2026‑26113—apply those updates now, follow the temporary mitigations if necessary, and treat any systems that cannot be patched as high‑priority assets for isolation and monitoring. The next Office‑based exploit is never far away; the best defense remains timely patching combined with layered mitigations and vigilant detection.

---

Source: PC Gamer Microsoft Office has two critical vulnerabilities but patches are available for them