PatchSiren cyber security CVE debrief
CVE-2026-26110 Microsoft CVE debrief
CVE-2026-26110 is a Microsoft Office type confusion vulnerability (CWE-843) that NVD rates 8.4/High using CVSS v3.1 vector AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. In the supplied NVD data, the affected scope spans Microsoft 365 Apps, Office 2016/2019, Office LTSC 2021/2024, and some Office Android builds, with Microsoft’s update guide linked as the vendor reference.
- Vendor
- Microsoft
- Product
- Microsoft 365 Apps for Enterprise
- CVSS
- HIGH 8.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-10
- Original CVE updated
- 2026-03-13
- Advisory published
- 2026-03-10
- Advisory updated
- 2026-03-13
Who should care
Endpoint and desktop engineering teams, Microsoft 365/Office administrators, SOC and vulnerability management teams, and anyone responsible for supported or legacy Office deployments across Windows, macOS, or Android.
Technical summary
The issue is described as an access-of-resource-using-incompatible-type problem (type confusion) in Microsoft Office. According to the supplied NVD data, exploitation can lead to local code execution, and the mapped weakness is CWE-843. The referenced vulnerable CPEs include Microsoft 365 Apps (x64/x86), Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Office for Android prior to version 16.0.19822.20000.
Defensive priority
High. Prioritize patching for systems that run affected Office builds because the flaw can enable local code execution with no privileges or user interaction reflected in the supplied CVSS vector. Focus first on broadly deployed enterprise Office installations and any fleet segments using LTSC or Android Office builds in the NVD scope.
Recommended defensive actions
- Review the Microsoft Security Response Center update guide for CVE-2026-26110 and apply the relevant Office updates as soon as they are available in your servicing channel.
- Inventory affected Microsoft Office installations across Windows, macOS, and Android to identify exposure to the CPE scope listed by NVD.
- Prioritize remediation for Microsoft 365 Apps, Office 2016/2019, and Office LTSC 2021/2024 deployments that match the vulnerable product families in the NVD record.
- If Android Office is in use, verify versions are at or above 16.0.19822.20000, since NVD lists earlier versions as vulnerable.
- Validate patch deployment and watch for unexpected Office process crashes or anomalous local execution activity as part of routine endpoint monitoring.
Evidence notes
This debrief uses only the supplied official sources: the NVD CVE record and Microsoft’s MSRC update guide reference. The CVE was published on 2026-03-10 and last modified on 2026-03-13 per the supplied timeline. The affected product scope is derived from NVD CPE entries, and the weakness mapping is CWE-843 from the vendor/NVD data. No KEV date was supplied, and the enrichment flags indicate no KEV listing in the provided corpus.
Official resources
-
CVE-2026-26110 CVE record
CVE.org
-
CVE-2026-26110 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE published 2026-03-10 and modified 2026-03-13. The supplied enrichment shows no CISA KEV date and no ransomware-campaign indicator in the provided corpus.