CVE-2026-26109

High

Published: 10 March 2026

Published

10 March 2026

Modified

13 March 2026

KEV Added

—

Patch

—

CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 6.6th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26109 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Microsoft Office Long Term Servicing Channel. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the out-of-bounds read vulnerability in Microsoft Office Excel through timely flaw remediation and patching as referenced in the MSRC update guide.

SI-16 Memory Protection partial match

prevent

Implements memory protections such as ASLR and DEP to mitigate arbitrary code execution resulting from the out-of-bounds read in Excel.

SI-3 Malicious Code Protection partial match

preventdetect

Deploys malicious code protection mechanisms at endpoints to scan and block malformed Excel files exploiting this vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Out-of-bounds read in Excel enabling arbitrary code execution via malformed files directly maps to exploitation of a client application for code execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Deeper analysisAI

CVE-2026-26109 is an out-of-bounds read vulnerability (CWE-125) affecting Microsoft Office Excel. Published on 2026-03-10, it carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue enables an unauthorized attacker to execute code locally through malformed Excel files.

An attacker requires only local access to the target system, with low attack complexity, no privileges, and no user interaction. Exploitation leads to arbitrary code execution, granting high impacts on confidentiality, integrity, and availability.

Microsoft's Security Response Center has published an update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26109, which provides details on mitigation and patching.

Details

CWE(s): CWE-125

Affected Products

microsoft

365 apps

all versions

microsoft

excel

2016

microsoft

office

2019

microsoft

office long term servicing channel

2021, 2024

microsoft

office online server

≤ 16.0.10417.20102

CVEs Like This One

CVE-2026-20946Same product: Microsoft 365 Apps

CVE-2025-24081Same product: Microsoft 365 Apps

CVE-2025-21362Same product: Microsoft 365 Apps

CVE-2025-21354Same product: Microsoft 365 Apps

CVE-2025-49697Same product: Microsoft 365 Apps

CVE-2025-21383Same product: Microsoft 365 Apps

CVE-2025-21390Same product: Microsoft 365 Apps

CVE-2025-21386Same product: Microsoft 365 Apps

CVE-2025-24075Same product: Microsoft 365 Apps

CVE-2026-26112Same product: Microsoft 365 Apps

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26109
Vendor Advisory · secure@microsoft.com