What is CVE-2026-26110?

CVE-2026-26110 is a high-severity vulnerability in Microsoft Office that allows unauthorized code execution through type confusion. Organizations must address this critical security issue immediately to prevent potential exploits.

What is the severity of CVE-2026-26110?

CVE-2026-26110 has a severity rating of HIGH with a CVSS base score of 8.4.

CVE-2026-26110 | High Vulnerability in Microsoft Office

CVE-2026-26110 is a high-severity vulnerability classified as a type confusion issue that affects Microsoft Office products. This vulnerability allows unauthorized attackers to execute code locally, posing a significant risk to organizations. With a CVSS score of 8.4, the vulnerability is indicative of serious security implications, particularly given the widespread use of Microsoft Office in corporate environments.

The vulnerability was published on March 10, 2026, and remains critical due to its ability to impact confidentiality, integrity, and availability. Organizations using affected versions of Microsoft Office should be aware of the urgency to remediate this issue to prevent exploitation.

As of now, there are no public exploits or known active exploitation in the wild. However, the potential for exploitation remains high, making it crucial for defenders to prioritize patching measures.

Organizations should prioritize patching immediately to mitigate the risks associated with this vulnerability. Immediate action is necessary to protect sensitive data and ensure secure operations.

Vulnerability Details

The official description of this vulnerability states that it involves access of a resource using an incompatible type, leading to potential code execution by unauthorized attackers. The vulnerability has been assigned a CVSS score of 8.4, categorizing it as high severity.

The affected products include Microsoft 365 Apps, various versions of Microsoft Office, and the Office Long Term Servicing Channel. The publication date of the vulnerability is March 10, 2026, and it falls under the CWE-843 classification.

Technical Analysis

The root cause of CVE-2026-26110 is a type confusion error in Microsoft Office, which allows an attacker to leverage incompatible data types to execute arbitrary code. The attack vector is local, requiring no user interaction and no elevated privileges, which poses a significant risk.

Given the low attack complexity, attackers could exploit this vulnerability easily. The impacts on confidentiality, integrity, and availability are high, making this a critical security concern for organizations.

Risk & Impact Analysis

Organizations using vulnerable versions of Microsoft Office face a serious risk. The potential for unauthorized code execution could lead to data breaches, system instability, and loss of customer trust. The blast radius includes all users of the affected products, amplifying the urgency of remediation efforts.

Given the CVSS score of 8.4, organizations should address this vulnerability in their priority patch cycle. The vulnerability's status in the KEV catalog confirms it as a high-priority item for security teams.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The vulnerability affects several versions of Microsoft Office, including:

1. Microsoft 365 Apps (x86 and x64) 2. Microsoft Office 2016 (x86 and x64) 3. Microsoft Office 2019 (x86 and x64) 4. Microsoft Office Long Term Servicing Channel 2021 and 2024 (x86, x64, and macOS) 5. Microsoft Office for Android (versions prior to 16.0.19822.20000)

Mitigation & Remediation

Organizations should ensure they are using updated versions of Microsoft Office. It is important to check for and apply patches from Microsoft that address this vulnerability.

For more detailed steps on securing your applications, consider engaging in penetration testing to identify potential vulnerabilities.

Detection Guidance

Monitoring log indicators for unauthorized access attempts and unusual system behavior can aid in detecting potential exploitation of this vulnerability. Additionally, keeping track of system changes post-patch application is critical.

AppSecure Threat Intelligence Insight

The long-term significance of CVE-2026-26110 lies in its demonstration of how type confusion vulnerabilities can allow unauthorized code execution, emphasizing the need for rigorous testing and validation in software development. Security teams should take this incident as a learning opportunity to strengthen their defensive measures against similar vulnerabilities.

For more insights into vulnerability management, organizations can refer to the following resources: vulnerability management best practices, penetration testing methodology, and security testing best practices to enhance overall security posture.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-26110: High Vulnerability in Microsoft Office