Microsoft released its March 2026 Patch Tuesday update on March 10, 2026, addressing 83 vulnerabilities across Windows, Microsoft Office, Azure, SQL Server, and .NET. Among the most pressing issues in this batch are two critical remote code execution vulnerabilities in Office, CVE-2026-26110 and CVE-2026-26113.
The significance of these flaws lies in their attack vector. These vulnerabilities are triggerable via the Preview Pane, meaning a user does not need to fully open a malicious file for exploitation. This is a meaningful distinction in practical terms; organisations cannot rely on user behaviour alone to mitigate risk. Simply viewing a document thumbnail or preview in Windows Explorer or Outlook is sufficient to trigger the exploit.
CVE-2026-26110 is a type confusion flaw in Microsoft Office, while CVE-2026-26113 is caused by an untrusted pointer dereference flaw. Both carry CVSS scores of 8.4 and were rated as critical. In security rating terms, this reflects high impact potential, though the exploitation itself occurs locally on the device, meaning code must ultimately be triggered from the local machine.
The practical risk depends heavily on how Office is used in specific environments. Remote code execution vulnerabilities in Office applications pose significant risks for organisations, as documents are widely shared via email, file shares, and collaboration platforms, and if exploited, attackers could gain control of user systems, deploy ransomware, steal corporate data, or move laterally across internal networks.
Neither vulnerability was publicly disclosed or observed in active attacks at release, and exploitation is currently assessed as less likely. Microsoft's analysis indicates that functional exploit code for these vulnerabilities is currently unproven, and as of the disclosure date, there are no recorded instances of threat actors exploiting these specific flaws in the wild. However, this window may be temporary; because the vulnerabilities have been publicly confirmed and carry a critical impact rating, it is highly likely that ransomware operators and state-sponsored groups will begin reverse-engineering the patch to develop working exploits.
Microsoft has released patches through its standard update mechanisms. Customers running Office 2021 and later will be automatically protected via a service-side change, but will be required to restart their Office applications. Organisations using older versions of Office, such as 2016 or 2019, need to apply security updates more deliberately.
The speed of deployment matters significantly here. This marks the first monthly update without an actively exploited zero-day in six months, which offers some breathing room compared to previous months. Yet security teams should still treat these patches as priority; the gap between public disclosure and working exploit tools historically narrows rapidly once researcher attention focuses on patched vulnerabilities.