Microsoft Patch Tuesday Fixes Critical Office Preview Pane RCE Flaws
Microsoft released March Patch Tuesday security updates addressing nearly 80 vulnerabilities, including critical Microsoft Office remote code execution issues that can be triggered via the Windows Preview Pane. TechRepublic highlighted two Office flaws—CVE-2026-26113 and CVE-2026-26110—where simply previewing a malicious document can lead to attacker-controlled code execution, creating a low-friction initial access path for enterprise endpoints.
Cybersecurity News provided additional technical detail on CVE-2026-26110, describing it as a type confusion bug (CWE-843) with a CVSS 8.4 rating affecting Office across Windows, macOS, and Android. The write-up notes that while Microsoft labels it “remote code execution,” exploitation requires the payload to execute on the local machine (i.e., attacker code runs locally after the victim triggers the vulnerable processing), and emphasizes the risk that Preview Pane handling can enable compromise without the user opening the document in the traditional sense.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Microsoft discloses Excel flaw that could leak Copilot Agent data
Microsoft's March Patch Tuesday release included CVE-2026-26144, an Excel information disclosure vulnerability that could cause Copilot Agent mode to expose sensitive data across a network. The issue was included among the March 10 security fixes.
Microsoft patches AI-discovered Devices Pricing Program vulnerability
Microsoft fixed CVE-2026-21536, a CVSS 9.8 vulnerability affecting the Microsoft Devices Pricing Program. The flaw was reportedly discovered by an autonomous AI agent named XBOW.
Microsoft addresses publicly disclosed SQL Server and .NET flaws
The March 2026 updates also remediated two publicly disclosed vulnerabilities: SQL Server privilege escalation CVE-2026-21262 and .NET denial-of-service issue CVE-2026-26127. Their prior public disclosure increased urgency because technical details may already have been available.
Microsoft patches critical Office Preview Pane RCE vulnerabilities
Microsoft fixed high-priority Office remote code execution flaws CVE-2026-26110 and CVE-2026-26113, which can be triggered through the Windows File Explorer Preview Pane by viewing a malicious document. Microsoft advised immediate patching and suggested disabling the Preview Pane as a temporary mitigation if updates cannot be applied right away.
Microsoft releases March Patch Tuesday fixes for 78 vulnerabilities
On March 10, 2026, Microsoft issued security updates covering 78 vulnerabilities across products including Office, Excel, SQL Server, .NET, and the Microsoft Devices Pricing Program. The release included three critical issues and no actively exploited zero-days.
Anonymous researcher discloses Office RCE flaw CVE-2026-26110 to Microsoft
An anonymous researcher reported CVE-2026-26110, a type confusion vulnerability in Microsoft Office that can lead to arbitrary code execution. Microsoft said there was no known in-the-wild exploitation or proven exploit code at the time of disclosure.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Patches Critical Office and Outlook Preview Pane RCE Flaws
Microsoft has released fixes for multiple **critical Microsoft Office, Word, and Outlook Classic vulnerabilities** that can lead to remote code execution when a victim opens or previews a specially crafted file or email. The affected flaws include Office bugs **CVE-2025-49695**, **CVE-2025-49696**, **CVE-2025-49697**, **CVE-2025-49699**, **CVE-2025-49702**, Word bug **CVE-2025-49698**, and newer Outlook/Word rendering issues **CVE-2026-45456**, **CVE-2026-45458**, and **CVE-2026-47635**. Microsoft described the bugs as stemming from memory-safety issues such as **use-after-free**, **heap-based buffer overflow**, **type confusion**, and **out-of-bounds read**, with several carrying **CVSS 8.4** ratings. In multiple cases, Microsoft said the **Preview Pane** can trigger exploitation, and some flaws may be exploited without additional user interaction once malicious content is rendered. Microsoft said the vulnerable code paths affect Office and Word components, including the **Word rendering engine** used by **Outlook Classic**, and that supported builds such as **Microsoft Office LTSC 2024** and Mac Office LTSC channels received updates, with some Mac patches arriving later. Most of the 2025 flaws were not publicly disclosed or exploited at publication, though Microsoft assessed some as **more likely** to be exploited; the 2026 Outlook and Word issues similarly prompted urgent patching guidance because remotely delivered email content can trigger local processing and code execution. Microsoft urged organizations to install all applicable updates and strengthen defenses around Office email handling, including **Protected View**, **Attack Surface Reduction** rules, and monitoring for suspicious Office child-process activity.
Jun 12, 2026
Microsoft Patches Repeated Remote Code Execution Flaws Across Office Apps
Microsoft published a long series of security advisories for **remote code execution** vulnerabilities affecting core Office components, with the largest concentration in **Excel** and **Word**. The disclosures include Excel flaws such as `CVE-2024-49026`, `CVE-2024-49069`, `CVE-2025-21362`, `CVE-2025-21381`, `CVE-2025-21387`, `CVE-2025-24082`, `CVE-2025-62553`, `CVE-2026-26107`, `CVE-2026-26109`, `CVE-2026-26112`, and `CVE-2026-40359`, alongside Word issues including `CVE-2025-24077`, `CVE-2025-24078`, `CVE-2025-47170`, `CVE-2025-49700`, `CVE-2025-59222`, `CVE-2026-23657`, and `CVE-2026-33095`. Microsoft also listed related RCE bugs in **Microsoft Office** (`CVE-2025-21392`), **PowerPoint** (`CVE-2025-54908`), **Inbox COM Objects (Global Memory)** (`CVE-2025-58730`), and the **Visual Studio Code Python Extension** (`CVE-2025-49714`). One of the few entries with technical detail, **`CVE-2026-40359`**, describes an **Important** Excel use-after-free flaw (`CWE-416`) with a **CVSS 3.1 score of 7.8** that can let an attacker execute code if a user opens a malicious Office file. Microsoft said the bug was **not publicly disclosed**, **not exploited in the wild**, and **less likely** to be exploited at the time of publication, adding that the **Preview Pane is not an attack vector** and that a fix is available. Taken together, the advisories show Microsoft continuing to address document-driven code execution risks across Office products, where successful exploitation generally depends on **user interaction with crafted files** rather than direct network exposure.
May 25, 2026
Microsoft Patches 137 Flaws, Highlighting Word Preview Pane and Netlogon RCE Risks
Microsoft released its May Patch Tuesday updates fixing 137 vulnerabilities across Windows, Office, Azure, Dynamics 365, SharePoint, Copilot, and other products, with no actively exploited zero-days or publicly disclosed flaws reported at release. The update included multiple high-severity remote code execution bugs, notably Microsoft Word flaws `CVE-2026-40361` and `CVE-2026-40364`, which can be triggered through the Preview Pane by sending a malicious document, as well as `CVE-2026-42898` in Microsoft Dynamics 365 On-Premises, `CVE-2026-42823` in Azure Logic Apps, and `CVE-2026-33109` in Azure Managed Instance for Apache Cassandra. Researchers also flagged `CVE-2026-41089` in Windows Netlogon and `CVE-2026-41096` in Windows DNS Client as especially urgent because they expose broadly deployed enterprise infrastructure to remote compromise. Microsoft’s Windows 11 cumulative updates, including `KB5089549` and `KB5087420`, delivered many of the security fixes alongside reliability and usability improvements, and Microsoft said it was not aware of new issues with the release. Coverage and advisories also showed the breadth of the month’s attack surface, with additional fixes for SharePoint Server remote code execution, Office Click-to-Run privilege escalation, Hyper-V guest-to-host escalation, Teams spoofing, Outlook for iOS tampering, and several Copilot and Visual Studio Code vulnerabilities. Security researchers said the growing volume of Microsoft disclosures may reflect increased AI-assisted vulnerability discovery, while defenders were urged to prioritize patching domain controllers, DNS-exposed Windows systems, Office deployments, and internet-facing enterprise applications.
May 25, 2026