Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Microsoft Office Preview Pane Remote Code Execution via Untrusted Pointer Dereference

IdentifiersCVE-2026-26113CWE-822· Untrusted Pointer Dereference

CVE-2026-26113 is a critical remote code execution vulnerability in Microsoft Office caused by an untrusted pointer dereference. Microsoft’s description states that an unauthorized attacker can execute code locally. Multiple supporting reports indicate the flaw is reachable through the Microsoft Office Preview Pane, meaning a specially crafted malicious document or message can trigger exploitation when it is previewed, without requiring the victim to fully open the file. The issue affects multiple Microsoft Office product lines, including Microsoft 365 Apps for Enterprise, Office 2016, Office 2019, Office LTSC variants, and Mac releases referenced in Microsoft update material. The vulnerability is mapped to CWE-822 and has been reported with CVSS v3.1 vector AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary code execution in the context of the targeted system, with high impact to confidentiality, integrity, and availability. An attacker could use the flaw to run malicious payloads, compromise the affected endpoint, steal data, deploy additional malware, or establish an initial foothold for further intrusion activity. Because the Preview Pane is reported as an attack vector, exploitation may occur with minimal victim action, increasing the risk of phishing- or message-based delivery.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, disable or restrict use of the Office/Outlook Preview Pane as a temporary risk-reduction measure, since multiple sources identify it as the exploit vector for this CVE. Additionally, restrict or block Office documents and messages from untrusted sources, harden email filtering and attachment handling, and monitor for suspicious Office-driven execution activity. These measures are mitigations only and do not replace vendor patching.

Remediation

Patch, then assume compromise.

Apply Microsoft’s March 2026 security updates for affected Microsoft Office products. The provided content indicates fixes were released through Click-to-Run updates, Office release notes, and specific KB packages depending on product/version, including Office 2016 update KB5002838 and updated releases for Microsoft 365 Apps for Enterprise, Office 2019, Office LTSC 2021/2024, and Mac Office LTSC versions. Organizations should use the MSRC Update Guide entry for CVE-2026-26113 and the relevant product-specific update channels to ensure all affected Office installations are brought to a patched build.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft Corporation365 Appsapplication
Microsoft CorporationOfficeapplication
Microsoft CorporationOffice 2016application
Microsoft CorporationOffice 2019application
Microsoft CorporationOffice 2021application
Microsoft CorporationOffice 2024application
Microsoft CorporationOffice Long Term Servicing Channelapplication
Microsoft CorporationOffice Macos 2021application
Microsoft CorporationOffice Macos 2024application
Microsoft CorporationSharepoint Serverapplication
Microsoft CorporationSharepoint Server 2016application
Microsoft CorporationSharepoint Server 2019application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

27 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

27 SOURCESView more in app
+12 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity9

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-26113
NVD
nvd.nist.gov/vuln/detail/CVE-2026-26113
MITRE CWE · CWE-822
Untrusted Pointer Dereference
Vendor Advisory
msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26113