Microsoft Discloses Critical Office Vulnerability (CVE-2026-26110) with High Severity Risk
On March 10, 2026, Microsoft revealed a critical security flaw in Microsoft Office, tracked as CVE-2026-26110, with a CVSS score of 8.4, classifying it as a high-severity vulnerability. The issue stems from a type confusion weakness (CWE-843), where improper handling of object types in memory could allow attackers to execute arbitrary code on affected systems.
The vulnerability enables remote code execution (RCE) despite being classified as a local attack vector (AV:L) in CVSS metrics. Exploitation requires malicious content to be processed by a targeted system, granting attackers the same privileges as the logged-in user. Notably, the Office Preview Pane can serve as an attack vector meaning simply previewing a crafted file could trigger the exploit without user interaction.
While Microsoft assesses exploitation as "less likely" and reports no active attacks or public exploit code, successful exploitation could lead to malware deployment, data theft, or full system compromise. The flaw affects confidentiality, integrity, and availability, all rated as high-impact in CVSS scoring.
Microsoft has released security updates to patch the vulnerability and recommends immediate installation. Additional mitigations include disabling automatic document previews, user education on phishing risks, and deploying endpoint protection tools. The flaw was responsibly disclosed by an anonymous researcher.
The incident underscores the growing threat to widely used productivity software and the need for timely patching in enterprise environments.
Source: https://cyberpress.org/microsoft-office-vulnerability/
Microsoft Security Response Center cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security-response-center
"id": "MIC1773239044",
"linkid": "microsoft-security-response-center",
"type": "Vulnerability",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology/Software',
'name': 'Microsoft',
'type': 'Corporation'}],
'attack_vector': 'Local',
'date_publicly_disclosed': '2026-03-10',
'description': 'Microsoft revealed a critical security flaw in Microsoft '
'Office, tracked as CVE-2026-26110, with a CVSS score of 8.4, '
'classifying it as a high-severity vulnerability. The issue '
'stems from a type confusion weakness (CWE-843), where '
'improper handling of object types in memory could allow '
'attackers to execute arbitrary code on affected systems. The '
'vulnerability enables remote code execution (RCE) despite '
'being classified as a local attack vector. Exploitation '
'requires malicious content to be processed by a targeted '
'system, granting attackers the same privileges as the '
'logged-in user. The Office Preview Pane can serve as an '
'attack vector, meaning simply previewing a crafted file could '
'trigger the exploit without user interaction.',
'impact': {'identity_theft_risk': 'High',
'operational_impact': 'High',
'systems_affected': 'Microsoft Office'},
'lessons_learned': 'The incident underscores the growing threat to widely '
'used productivity software and the need for timely '
'patching in enterprise environments.',
'post_incident_analysis': {'corrective_actions': 'Security updates released '
'to patch the vulnerability',
'root_causes': 'Type confusion weakness (CWE-843) '
'in Microsoft Office'},
'recommendations': ['Disable automatic document previews',
'User education on phishing risks',
'Deploy endpoint protection tools'],
'references': [{'source': 'Microsoft Security Response Center'}],
'response': {'containment_measures': 'Security updates released',
'remediation_measures': 'Immediate installation of patches'},
'title': 'Microsoft Discloses Critical Office Vulnerability (CVE-2026-26110)',
'type': 'Vulnerability',
'vulnerability_exploited': 'CVE-2026-26110 (Type Confusion - CWE-843)'}