Microsoft fixes critical Office flaw that could let attackers run code locally

Microsoft has patched a critical Microsoft Office vulnerability tracked as CVE-2026-26110 as part of its March 10, 2026 security updates. The flaw carries a CVSS score of 8.4 and stems from a type confusion issue in Office that could allow an unauthorized attacker to execute code locally on a target system.

That makes this a serious bug, but the sample article you shared goes further than the official material supports. Microsoft’s published update pages clearly describe CVE-2026-26110 as a Microsoft Office remote code execution vulnerability, yet the official references I reviewed do not confirm every claim in the draft about Preview Pane exploitation, zero user interaction, worldwide platform scope, or Android-specific exposure. Those points should be treated cautiously unless you want them attributed to third-party analysis rather than Microsoft’s own advisory pages.

The verified core story is still important. Microsoft issued the patch on March 10, and the flaw affects Office enough for Microsoft to rate it critical. The CVE description says the problem involves “access of resource using incompatible type,” which is the classic pattern for type confusion bugs. In real-world terms, that means Office can mishandle data in memory in a way that may let malicious code run.

Microsoft’s update pages for Office 2016 also confirm that the security release specifically resolves CVE-2026-26110. That gives defenders a direct patch path through Microsoft Update, the Microsoft Update Catalog, and the Microsoft Download Center for supported editions that receive these packages.

What is confirmed

What the sample overstates

Several claims in the draft need trimming or attribution:

• The draft says the flaw affects Windows, Mac, and Android broadly. I did not find official Microsoft pages in the material reviewed here that confirm that full cross-platform scope for CVE-2026-26110.
• The draft says the Windows Preview Pane is a confirmed attack vector. I found that in third-party Patch Tuesday analysis, not in the Microsoft support pages surfaced here.
• The draft says the bug requires no user interaction. The CVSS vector shown in the CVE summary lists UI:N, which supports that scoring detail, but the official support pages surfaced here do not spell out a full exploit chain.
• The draft says Microsoft reported no active exploitation and no proven exploit code. I did not find that exact Microsoft wording in the official pages surfaced here, though third-party Patch Tuesday summaries say exploitation is considered less likely.

Why this vulnerability matters

Office remains a high-value target because malicious documents still play a major role in phishing, malware delivery, and initial access. Even when a flaw requires a local trigger, attackers can often deliver that trigger through email attachments, downloads, shared files, or enterprise content workflows. A critical Office bug with an 8.4 score deserves fast patching even when Microsoft has not reported in-the-wild exploitation.

Type confusion flaws also tend to worry defenders because they can open the door to memory corruption. Once memory gets misread or misused, attackers may be able to crash an application, bypass restrictions, or chain the issue into code execution. That is why Microsoft classifies CVE-2026-26110 as a remote code execution vulnerability rather than a minor stability issue.

What admins and users should do now

• Install the March 10, 2026 Office security updates through Microsoft Update or your normal patch management tool.
• Prioritize systems that still rely on older perpetual Office editions such as Office 2016.
• Review email and file-delivery controls because Office flaws often pair with document lures.
• Track additional Microsoft guidance if your environment includes other Office editions not clearly covered in the support pages already published.

FAQ