On 10 March 2026, Microsoft released its March 2026 security update addressing 83 newly disclosed vulnerabilities. Arctic Wolf has highlighted three vulnerabilities affecting Microsoft Office in this security bulletin, which Microsoft has rated as critical. At the time of writing, none of the vulnerabilities in this update have been reported as exploited in the wild.
Vulnerabilities
| Vulnerability | CVSS | Description |
| CVE-2026-26110 | 8.4 | Microsoft Office Remote Code Execution Vulnerability – A type confusion vulnerability that allows a remote threat actor to execute code. Although the threat actor is remote, the exploitation and code execution occur on the victim’s local system. The preview pane is an attack vector. |
| CVE-2026-26113 | 8.4 | Microsoft Office Remote Code Execution Vulnerability – An untrusted pointer dereference vulnerability that allows a remote threat actor to execute code. Although the threat actor is remote, the exploitation and code execution occur on the victim’s local system. The preview pane is an attack vector. |
| CVE-2026-26144 | 7.5 | Microsoft Excel Information Disclosure Vulnerability – A cross-site scripting (XSS) vulnerability in Microsoft Excel allows remote threat actors to disclose information. Exploitation can cause the Copilot agent mode to exfiltrate data through unintended network egress, enabling a zero-click information disclosure attack. |
Recommendation
Upgrade to Latest Fixed Versions
Arctic Wolf strongly recommends that customers upgrade to the latest fixed versions.
| Affected Product | Vulnerability | Update Article |
| Microsoft SharePoint Server Subscription Edition | CVE-2026-26113 | 5002843 |
| Microsoft SharePoint Server 2019 | CVE-2026-26113 | 5002845, 5002847 |
| Microsoft SharePoint Enterprise Server 2016 | CVE-2026-26113 | 5002850, 5002851 |
| Microsoft Office LTSC for Mac 2021, and 2024 | CVE-2026-26110, CVE-2026-26113 | Release Notes |
| Microsoft Office LTSC 2024 for 32-bit, and 64-bit editions | CVE-2026-26110, CVE-2026-26113 | Click to Run |
| Microsoft Office LTSC 2021 for 64-bit editions | CVE-2026-26110, CVE-2026-26113 | Click to Run |
| Microsoft Office LTSC 2021 for 32-bit editions | CVE-2026-26110 | Click to Run |
| Microsoft Office for Android | CVE-2026-26110 | Release Notes |
| Microsoft Office 2019 for 32-bit, and 64-bit editions | CVE-2026-26110, CVE-2026-26113 | Click to Run |
| Microsoft Office 2016 for 32-bit, and 64-bit editions | CVE-2026-26110, CVE-2026-26113 | 5002838 |
| Microsoft 365 Apps for Enterprise for 32-bit, and 64-bit Systems | CVE-2026-26110, CVE-2026-26113, CVE-2026-26144 | Click to Run |
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
