Microsoft has revealed a serious security hole in Microsoft Office that could let hackers run harmful code on affected computers. The flaw, known as CVE-2026-26110, was made public on March 10, 2026, and has a CVSS score of 8.4, which means it poses a high risk to both businesses and individuals. The problem comes from a type confusion flaw in Microsoft Office.

If the problem is successfully exploited, attackers could run any code they want on a victim's device without needing special permissions. Security experts say that these kinds of holes can let attackers take full control of the systems they are targeting, which could lead to data theft, malware installation, or more network breaches.

Information about the vulnerability Microsoft's advisory says that the vulnerability falls under CWE-843, which means that a resource can be accessed using an incompatible type. When software doesn't handle object types in memory correctly, this kind of confusion can happen. When used, the mistake can let bad code run without warning.

The flaw affects Microsoft Office programs and lets hackers run code on the target machine without permission. Microsoft calls the problem a "remote code execution vulnerability," even though the CVSS metrics say the attack vector is local (AV:L). This type of attack is based on where the attacker is, not where the attack happens. In practice, the attack needs the local system to process bad content.

Once activated, the flaw could let attackers run commands with the same rights as the user who is logged in. The Preview Pane Could Start the Attack Microsoft said that this security hole can be used to attack through the Office Preview Pane. This means that just looking at a specially made file could start the exploit without the user having to open the file.

Attacks that use previews raise the risk level because users might accidentally open harmful content while looking at files or email attachments. Attackers could use phishing campaigns, file-sharing sites, or hacked websites to spread harmful Office documents. Microsoft says, though, that exploitation is "less likely" right now, and at the time of the disclosure, there were no reports of active attacks or publicly available exploit code.

Attackers could gain a lot of control over the systems they attack if they are successful. Possible effects include: Running harmful software. Stealing private data that is stored on the device.

Installation of additional malware or backdoors. Disruption of system operations. The vulnerability affects the confidentiality, integrity, and availability of systems, all rated as high impact in the CVSS metrics. Microsoft has released official security updates to address the vulnerability and urges users to apply patches immediately.

Keeping Office applications updated is the most effective way to prevent exploitation. Organizations should also consider the following mitigation measures: Apply Microsoft’s latest security updates as soon as possible. Disable or limit automatic document previews when feasible. Educate users about phishing emails and suspicious attachments.

Use endpoint protection tools that can find harmful documents. Microsoft thanked an unnamed security researcher for responsibly reporting the flaw through coordinated disclosure. As cyber threats become more common in widely used productivity software, vulnerabilities like CVE-2026-26110 show how important it is to keep enterprise environments up to date with patches and good security practices.