Microsoft March 2026 Patch Tuesday Vulnerabilities Across SharePoint, Office/Excel, Windows Drivers, and GDI
Microsoft published security advisories for multiple Important and Critical vulnerabilities affecting SharePoint Server, Microsoft Office/Excel, Windows components, and GDI. The highest-impact server-side issue is CVE-2026-26114, a SharePoint Server remote code execution flaw attributed to CWE-502 (deserialization of untrusted data) with a CVSS v3.1 vector AV:N/AC:L/PR:L/UI:N (base score shown as 8.8), indicating network reachability with low complexity and requiring low privileges. Microsoft also disclosed CVE-2026-26105, a SharePoint Server spoofing issue mapped to CWE-79 (XSS) with AV:N/AC:L/PR:N/UI:R (base score shown as 8.1), implying remote exploitation that requires user interaction.
On the endpoint/application side, Microsoft listed several Office/Excel remote code execution vulnerabilities: CVE-2026-26109 (Excel RCE; CWE-125 out-of-bounds read; vector AV:L/AC:L/PR:N/UI:N, base score shown as 8.4), CVE-2026-26108 (Excel RCE; CWE-122 heap-based buffer overflow; AV:L/AC:L/PR:N/UI:R, base score shown as 7.8), and CVE-2026-26112 (Excel RCE; CWE-822 untrusted pointer dereference; AV:L/AC:L/PR:N/UI:R, base score shown as 7.8). Microsoft also published CVE-2026-26113, a Critical Microsoft Office RCE (also CWE-822) with AV:L/AC:L/PR:N/UI:N (base score shown as 8.4); one reference is a duplicate advisory page for the same CVE. Additional component advisories include CVE-2026-24288 (Windows Mobile Broadband Driver RCE; CWE-122; AV:P/AC:L/PR:N/UI:N, base score shown as 6.8, requiring physical access) and CVE-2026-25190 (GDI RCE; CWE-426 untrusted search path; AV:L/AC:L/PR:N/UI:R, base score shown as 7.8).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
Microsoft publishes March 2026 advisories for multiple RCE and spoofing flaws
Microsoft's Security Update Guide published advisories for several vulnerabilities affecting SharePoint Server, Excel, Microsoft Office, GDI, and the Windows Mobile Broadband Driver, including CVE-2026-26114, CVE-2026-26109, CVE-2026-26105, CVE-2026-26108, CVE-2026-24288, CVE-2026-25190, CVE-2026-26112, and CVE-2026-26113. The disclosures indicate security updates were made available for remote code execution and spoofing issues across these products.
Sources
9 references tracked. Mallory keeps watching after this page renders.
CVE-2026-26114 - Security Update Guide - Microsoft - Microsoft SharePoint Server Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE Details - Microsoft Excel Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-26105 - Security Update Guide - Microsoft - Microsoft SharePoint Server Spoofing Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-26108 - Security Update Guide - Microsoft - Microsoft Excel Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-24288 - Security Update Guide - Microsoft - Windows Mobile Broadband Driver Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-25190 - Security Update Guide - Microsoft - GDI Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-26112 - Security Update Guide - Microsoft - Microsoft Excel Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-26113 - Security Update Guide - Microsoft - Microsoft Office Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-26113 - Security Update Guide - Microsoft - Microsoft Office Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Fixes Multiple Remote Code Execution Flaws Across SharePoint, Edge, Azure, and Power Pages
Microsoft published security advisories for several remote code execution vulnerabilities affecting **SharePoint**, **Microsoft Edge (Chromium-based)**, **Azure Orbital Spatio**, **Azure Virtual Network Gateway**, and **Microsoft Power Pages**, including `CVE-2026-45659`, `CVE-2026-45495`, `CVE-2026-40412`, `CVE-2026-40411`, and `CVE-2026-23652`. The most detailed disclosures focused on SharePoint Server, where Microsoft described `CVE-2026-35439` and `CVE-2026-40357` as **deserialization of untrusted data** flaws that could let authenticated attackers execute arbitrary code over the network on vulnerable servers. Microsoft rated both SharePoint issues **Important** with **CVSS 8.8** and said exploitation requires valid access, with `CVE-2026-35439` requiring at least **Site Owner** privileges and `CVE-2026-40357` requiring **Site Member** permissions. The company said neither flaw had been publicly disclosed or exploited in the wild at publication and assessed exploitation as less likely, while providing fixes that also apply to both **SharePoint Server 2016** and **SharePoint Enterprise Server 2016**. Microsoft also disclosed `CVE-2026-40362`, an **Excel** heap-based buffer overflow that can lead to remote code execution if a user opens a malicious Office file; Microsoft said the Preview Pane is not an attack vector and that a patch is available.
May 27, 2026
Microsoft Patches Repeated Remote Code Execution Flaws Across Office Apps
Microsoft published a long series of security advisories for **remote code execution** vulnerabilities affecting core Office components, with the largest concentration in **Excel** and **Word**. The disclosures include Excel flaws such as `CVE-2024-49026`, `CVE-2024-49069`, `CVE-2025-21362`, `CVE-2025-21381`, `CVE-2025-21387`, `CVE-2025-24082`, `CVE-2025-62553`, `CVE-2026-26107`, `CVE-2026-26109`, `CVE-2026-26112`, and `CVE-2026-40359`, alongside Word issues including `CVE-2025-24077`, `CVE-2025-24078`, `CVE-2025-47170`, `CVE-2025-49700`, `CVE-2025-59222`, `CVE-2026-23657`, and `CVE-2026-33095`. Microsoft also listed related RCE bugs in **Microsoft Office** (`CVE-2025-21392`), **PowerPoint** (`CVE-2025-54908`), **Inbox COM Objects (Global Memory)** (`CVE-2025-58730`), and the **Visual Studio Code Python Extension** (`CVE-2025-49714`). One of the few entries with technical detail, **`CVE-2026-40359`**, describes an **Important** Excel use-after-free flaw (`CWE-416`) with a **CVSS 3.1 score of 7.8** that can let an attacker execute code if a user opens a malicious Office file. Microsoft said the bug was **not publicly disclosed**, **not exploited in the wild**, and **less likely** to be exploited at the time of publication, adding that the **Preview Pane is not an attack vector** and that a fix is available. Taken together, the advisories show Microsoft continuing to address document-driven code execution risks across Office products, where successful exploitation generally depends on **user interaction with crafted files** rather than direct network exposure.
May 25, 2026
Microsoft patches multiple remote code execution flaws in Office and Windows graphics
Microsoft disclosed and patched several remote code execution vulnerabilities affecting **Microsoft Office**, **Excel**, and Windows graphics components, including `CVE-2026-42831`, `CVE-2026-26108`, `CVE-2025-49742`, `CVE-2024-49031`, `CVE-2024-49065`, and `CVE-2026-35421`. The issues span Office document handling, Excel, the **Office Graphics** stack, the **Windows Graphics Component**, and **Windows GDI**, indicating broad exposure across common user-facing software used to process files and render content. Microsoft said `CVE-2026-42831` is a **heap-based buffer overflow** in Microsoft Office that can allow code execution when a user opens a malicious Office file. The flaw carries a **CVSS 7.8** score, requires user interaction, and is **not exploitable through the Preview Pane**; Microsoft also said it was **not publicly disclosed**, **not observed in the wild**, and assessed as **less likely to be exploited**, with a security fix available. The related advisories point to a recurring risk pattern in which crafted documents or graphics content can trigger code execution on victim systems, reinforcing the need to prioritize patching for Office and Windows rendering components.
May 25, 2026