Critical Microsoft Excel Information Disclosure Vulnerability (CVE-2026-26144)
Microsoft published guidance for CVE-2026-26144, a Critical Microsoft Excel information disclosure vulnerability tracked in the Microsoft Security Update Guide. Microsoft maps the issue to CWE-79 (improper neutralization of input during web page generation / XSS) and provides CVSS v3.1 scoring indicating network-reachable exploitation conditions with high confidentiality impact (vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
The advisory is available via MSRC’s Update Guide endpoints (including RSS, PowerShell, API, and CSAF links) to support patch/vulnerability management workflows. No additional incident context, exploitation details, or third-party reporting is included in the provided material beyond the MSRC advisory metadata and scoring.
Sources
Related Stories
Microsoft Windows Kernel Elevation of Privilege Vulnerability (CVE-2026-24289)
Microsoft published guidance for **CVE-2026-24289**, an **Important** severity **Windows Kernel elevation of privilege** vulnerability caused by **CWE-416 (use-after-free)**. Microsoft scored the issue with **CVSS 3.1: 7.8** (vector `AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`), indicating exploitation requires **local** access with **low** attack complexity and **low privileges**, and could result in high impact to confidentiality, integrity, and availability if successfully exploited. The Security Update Guide entry provides standard Microsoft consumption options (e.g., *PowerShell*, API, CSAF) for tracking and integrating the advisory into vulnerability management workflows. The two provided references are effectively duplicate MSRC pages for the same CVE (one localized under `/en-US/`) and do not add distinct technical details beyond the vulnerability classification and scoring.
1 weeks ago
Microsoft March 2026 Patch Tuesday Vulnerabilities Across SharePoint, Office/Excel, Windows Drivers, and GDI
Microsoft published security advisories for multiple **Important** and **Critical** vulnerabilities affecting *SharePoint Server*, *Microsoft Office/Excel*, Windows components, and *GDI*. The highest-impact server-side issue is **CVE-2026-26114**, a *SharePoint Server* **remote code execution** flaw attributed to **CWE-502 (deserialization of untrusted data)** with a CVSS v3.1 vector `AV:N/AC:L/PR:L/UI:N` (base score shown as 8.8), indicating network reachability with low complexity and requiring low privileges. Microsoft also disclosed **CVE-2026-26105**, a *SharePoint Server* **spoofing** issue mapped to **CWE-79 (XSS)** with `AV:N/AC:L/PR:N/UI:R` (base score shown as 8.1), implying remote exploitation that requires user interaction. On the endpoint/application side, Microsoft listed several *Office/Excel* **remote code execution** vulnerabilities: **CVE-2026-26109** (Excel RCE; **CWE-125 out-of-bounds read**; vector `AV:L/AC:L/PR:N/UI:N`, base score shown as 8.4), **CVE-2026-26108** (Excel RCE; **CWE-122 heap-based buffer overflow**; `AV:L/AC:L/PR:N/UI:R`, base score shown as 7.8), and **CVE-2026-26112** (Excel RCE; **CWE-822 untrusted pointer dereference**; `AV:L/AC:L/PR:N/UI:R`, base score shown as 7.8). Microsoft also published **CVE-2026-26113**, a **Critical** *Microsoft Office* RCE (also **CWE-822**) with `AV:L/AC:L/PR:N/UI:N` (base score shown as 8.4); one reference is a duplicate advisory page for the same CVE. Additional component advisories include **CVE-2026-24288** (Windows Mobile Broadband Driver RCE; **CWE-122**; `AV:P/AC:L/PR:N/UI:N`, base score shown as 6.8, requiring physical access) and **CVE-2026-25190** (GDI RCE; **CWE-426 untrusted search path**; `AV:L/AC:L/PR:N/UI:R`, base score shown as 7.8).
1 weeks ago
Windows Kernel Elevation of Privilege Vulnerability (CVE-2026-26132)
Microsoft published details for **CVE-2026-26132**, an **Important** severity **Windows Kernel** *elevation of privilege* vulnerability caused by **CWE-416 (use-after-free)**. The issue is scored **CVSS 3.1: 7.8** with vector `AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`, indicating exploitation requires **local access** and **low complexity**, with **low privileges required** and **no user interaction**, and could result in high impact to confidentiality, integrity, and availability. Microsoft’s Security Update Guide entry provides standard machine-consumable references (e.g., *PowerShell*, *API*, and *CSAF* links) for tracking and patch management. No additional exploitation details, in-the-wild exploitation confirmation, or public proof-of-concept information is included in the provided material beyond the vulnerability classification and scoring.
6 days ago