CVE-2026-26113 – Microsoft Office Remote Code Execution Vulnerability

This vulnerability in Microsoft Office allows an attacker to execute arbitrary code on a system due to an untrusted pointer dereference flaw (CWE-822). The issue occurs when Microsoft Office improperly handles memory pointers, potentially allowing an attacker to manipulate how the application accesses memory. Successful exploitation could allow the attacker to run code on the affected system with the same privileges as the current user. Notably, the Preview Pane can serve as an attack vector, meaning exploitation may occur simply by viewing a malicious file.

CVSS Score: 8.4
SEVERITY: High

THREAT:
This vulnerability enables attackers to execute arbitrary code on a local system without requiring privileges or user interaction. If exploited, the attacker could gain the ability to install malware, modify system files, or manipulate sensitive data. Because the vulnerability impacts widely used Office applications and can be triggered through document previewing, it presents a significant risk in environments where users frequently interact with shared or downloaded files.

EXPLOITS:
At the time of release, there are no known public exploits or proof-of-concept code available for this vulnerability. Microsoft has confirmed the issue but reports that it has not been publicly disclosed or actively exploited. The current exploitability assessment indicates exploitation is less likely, and exploit code maturity remains unproven.

TECHNICAL SUMMARY:
The vulnerability is caused by an untrusted pointer dereference within Microsoft Office. When the application processes certain crafted content, it may improperly reference or handle a memory pointer that points to an unsafe or attacker-controlled location. This incorrect pointer handling can lead to memory corruption, enabling the execution of arbitrary code. The attacker could exploit the flaw by delivering a specially crafted Office document that triggers the vulnerability when processed. Because the Preview Pane can act as an attack vector, the malicious content may execute even if the document is only previewed and not fully opened.

EXPLOITABILITY:
The vulnerability affects Microsoft Office environments. The attack vector is classified as local, meaning the malicious file must be executed or processed on the local system. The Preview Pane can trigger the vulnerability, allowing exploitation when a malicious Office document is previewed in supported file viewers.

BUSINESS IMPACT:
Remote code execution vulnerabilities in productivity software represent a high-risk threat for organizations. If exploited, attackers could gain control of employee systems, deploy ransomware, steal sensitive documents, or establish persistent access within corporate networks. Because Office documents are frequently shared internally and externally, malicious files could spread quickly across organizations, potentially turning a single compromised system into an entry point for wider network compromise.

WORKAROUND:
If the security update cannot be applied immediately, organizations should disable the Preview Pane in file explorers and restrict the opening of Office files from untrusted sources. Implementing email filtering, attachment scanning, and endpoint protection monitoring can also reduce the risk of malicious document delivery.

URGENCY:
This vulnerability allows arbitrary code execution with no privileges and no user interaction. The ability to trigger the exploit through the Preview Pane increases the risk because users may not need to open a document for the attack to occur. Systems running vulnerable Office versions should receive security updates quickly to prevent potential compromise.