CVE-2026-26134 Microsoft CVE debrief

Who should care

Administrators and security teams responsible for Microsoft Office deployments, especially environments that manage Office on Android devices, should review this issue and prioritize remediation.

Technical summary

The NVD entry for CVE-2026-26134 lists CVSS v3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, which means the issue is locally exploitable, requires low privileges, and does not need user interaction. The weakness is mapped to CWE-190 (integer overflow or wraparound), and Microsoft’s advisory also associates CWE-416. NVD’s vulnerable CPE data identifies Microsoft Office on Android with a version boundary ending before 16.0.19822.20000.

Defensive priority

High. The combination of local exploitability, privilege escalation, and high CVSS impact makes this a priority update for affected Office deployments.

Recommended defensive actions

• Review Microsoft’s advisory for CVE-2026-26134 and apply the vendor-recommended update for affected Office installations.
• Verify whether your managed Office estate includes the Android CPE referenced by NVD, and confirm version exposure against the 16.0.19822.20000 boundary.
• Prioritize patching on devices where lower-privileged users can obtain local access to Office.
• Track endpoint and mobile device management compliance to ensure the fix is deployed and retained.

Evidence notes

Source corpus includes the NVD record for CVE-2026-26134, published 2026-03-10 and modified 2026-03-13, plus the Microsoft MSRC advisory referenced by NVD. The NVD metadata lists CVSS v3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, weakness CWE-190, and Microsoft advisory metadata also lists CWE-416. NVD’s vulnerable CPE is cpe:2.3:a:microsoft:office:*:*:*:*:*:android:*:* with versionEndExcluding 16.0.19822.20000.

Official resources