Cyber Resilience

CVE-2026-26109

High

Published: 10 March 2026

Published
10 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0042 33.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-26109 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Microsoft Office Long Term Servicing Channel. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 33.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-26109 is an out-of-bounds read vulnerability (CWE-125) affecting Microsoft Office Excel. Published on 2026-03-10, it carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue enables an unauthorized attacker to execute code locally through malformed Excel files.

An attacker requires only local access to the target system, with low attack complexity, no privileges, and no user interaction. Exploitation leads to arbitrary code execution, granting high impacts on confidentiality, integrity, and availability.

Microsoft's Security Response Center has published an update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26109, which provides details on mitigation and patching.

EU & UK References

Vulnerability details

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Out-of-bounds read in Excel enabling arbitrary code execution via malformed files directly maps to exploitation of a client application for code execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-20946Same product: Microsoft 365 Apps
CVE-2026-40360Same product: Microsoft 365 Apps
CVE-2026-40359Same product: Microsoft 365 Apps
CVE-2025-21362Same product: Microsoft 365 Apps
CVE-2025-24081Same product: Microsoft 365 Apps
CVE-2025-21354Same product: Microsoft 365 Apps
CVE-2025-21383Same product: Microsoft 365 Apps
CVE-2026-26108Same product: Microsoft 365 Apps
CVE-2026-26112Same product: Microsoft 365 Apps
CVE-2026-26107Same product: Microsoft 365 Apps

Affected Assets

microsoft
365 apps
all versions
microsoft
excel
2016
microsoft
office
2019
microsoft
office long term servicing channel
2021, 2024
microsoft
office online server
≤ 16.0.10417.20102

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the out-of-bounds read vulnerability in Microsoft Office Excel through timely flaw remediation and patching as referenced in the MSRC update guide.

prevent

Implements memory protections such as ASLR and DEP to mitigate arbitrary code execution resulting from the out-of-bounds read in Excel.

preventdetect

Deploys malicious code protection mechanisms at endpoints to scan and block malformed Excel files exploiting this vulnerability.

References