Critical Microsoft Office RCE Vulnerabilities CVE-2026-26113 and CVE-2026-26110 Demand Urgent Patching
Two critical remote code execution vulnerabilities in Microsoft Office — CVE-2026-26113 and CVE-2026-26110 — allow attackers to execute malicious code through specially crafted documents, with security analysts warning that exploitation is likely imminent given the widespread use of Office in enterprise environments.
Security analysts are urging organizations to prioritize patching two critical remote code execution vulnerabilities in Microsoft Office — CVE-2026-26113 and CVE-2026-26110 — disclosed in the March 2026 Patch Tuesday release. Both flaws allow attackers to execute malicious code through specially crafted Office documents, with the preview pane serving as an attack vector.
Preview Pane Exploitation
The most concerning aspect of both vulnerabilities is that the preview pane in Windows File Explorer and Outlook is listed as an attack vector. This means that a user does not need to explicitly open a malicious document to trigger the vulnerability — simply navigating to a folder containing a malicious file or receiving it as an email attachment and viewing the preview could be sufficient. This attack vector significantly increases the risk because it removes the "don't open suspicious files" defense that organizations rely on as a first line of protection.
Exploitation Likelihood
Microsoft rates CVE-2026-26113 as "Exploitation More Likely" based on the vulnerability characteristics and the availability of technical details that could enable exploit development. CVE-2026-26110 is rated as "Exploitation Less Likely" with no confirmed proof-of-concept exploit, but security researchers note that Office vulnerabilities historically attract rapid exploit development given the ubiquity of Microsoft Office in enterprise environments.
Remediation Priority
Organizations should apply the March 2026 Office updates as their highest priority after the SQL Server zero-day. For environments where immediate patching is not possible, temporary mitigations include disabling the preview pane in File Explorer and Outlook, blocking Office file types at the email gateway, and using Application Guard for Office to open untrusted documents in isolated containers. These mitigations reduce but do not eliminate the risk, and should be treated as temporary measures while patch deployment is completed.
Related Articles
Cloudflare 2026 Threat Report: 230 Billion Daily Blocked Threats and the Rise of Credential Attacks
Cloudflare has published its inaugural annual threat report revealing the company blocks over 230 billion threats daily across 20% of global web traffic. DDoS attacks doubled year-over-year to 47.1 million incidents, with the largest reaching a record 31.4 Tbps, while bots now account for 94% of all login attempts.
HashiCorp Patches Consul Arbitrary File Read Vulnerability in Kubernetes Auth
HashiCorp has released emergency patches for Consul to address CVE-2026-2808, a medium-severity vulnerability allowing arbitrary file reads when Kubernetes authentication is enabled. The fix also adds HTTP server timeouts to prevent Slowloris denial-of-service attacks against Consul agent endpoints.
Let's Encrypt Now Issues Six-Day Certificates and IP Address Certificates via Certbot
Let's Encrypt and the EFF have announced support for six-day (160-hour) certificates and IP address certificates through Certbot 5.3 and 5.4. The ultra-short-lived certificates reduce the impact window of compromised keys by design, while IP address certificates enable HTTPS for services identified by address rather than hostname.