CVE-2026-26107 Overview
CVE-2026-26107 is a use-after-free vulnerability [CWE-416] in Microsoft Office Excel that allows an unauthorized attacker to execute code locally. The flaw affects multiple Microsoft Office products, including Microsoft 365 Apps, Excel 2016, Office 2019, Office Long-Term Servicing Channel (LTSC) 2021 and 2024, and Office Online Server. Exploitation requires user interaction, typically by opening a crafted spreadsheet. Successful exploitation yields code execution in the context of the current user, compromising confidentiality, integrity, and availability of the host.
Critical Impact
A crafted Excel document can trigger memory corruption that leads to arbitrary code execution under the user's privileges, providing an initial-access foothold on workstations.
Affected Products
- Microsoft 365 Apps (Enterprise, x86 and x64)
- Microsoft Excel 2016 (x86 and x64)
- Microsoft Office 2019 (x86 and x64)
- Microsoft Office LTSC 2021 and 2024 (Windows x86/x64 and macOS)
- Microsoft Office Online Server
Discovery Timeline
- 2026-03-10 - CVE-2026-26107 published to the National Vulnerability Database (NVD)
- 2026-03-10 - Microsoft published security update guidance for CVE-2026-26107
- 2026-03-13 - Last updated in NVD database
Technical Details for CVE-2026-26107
Vulnerability Analysis
The vulnerability is a use-after-free condition within Microsoft Office Excel's document parsing or object handling code. Excel references a memory object after it has been freed, allowing an attacker to control the contents of the reclaimed memory region. When Excel later dereferences the stale pointer, attacker-controlled data is interpreted as a valid object, including virtual function pointers. This results in arbitrary code execution in the context of the user running Excel.
The attack vector is local and requires user interaction, consistent with the typical Office document exploitation pattern. A victim must open a malicious .xls, .xlsx, or related spreadsheet delivered through email, web download, or shared storage. No elevated privileges are required to trigger the bug, and exploitation grants high impact across confidentiality, integrity, and availability.
Root Cause
The root cause is improper object lifetime management classified as [CWE-416]. Excel releases an internal object while another code path retains a reference to it. A crafted document forces the application to operate on the dangling pointer before the allocator reuses the slot, enabling a controllable type confusion or virtual call hijack.
Attack Vector
An attacker delivers a weaponized Excel workbook to the target. Opening the file in a vulnerable Excel build triggers the freed object access, redirecting execution to attacker-supplied shellcode or a return-oriented programming (ROP) chain. Office Online Server installations are also affected, expanding the attack surface to server-side document rendering.
No verified public proof-of-concept code is available. See the Microsoft Security Update CVE-2026-26107 advisory for vendor technical detail.
Detection Methods for CVE-2026-26107
Indicators of Compromise
- Excel (EXCEL.EXE) spawning unexpected child processes such as cmd.exe, powershell.exe, rundll32.exe, mshta.exe, or wscript.exe
- Excel crashes with access violation exceptions on workbook open, particularly in modules associated with object parsing
- Unusual outbound network connections initiated by EXCEL.EXE shortly after a document is opened
- New persistence artifacts (Run keys, scheduled tasks, startup folder entries) created during or immediately after an Excel session
Detection Strategies
- Hunt for Office applications writing executable content (.exe, .dll, .scr, .js) to user-writable directories such as %TEMP%, %APPDATA%, and %PUBLIC%
- Alert on Office process trees that lead to LOLBins (living-off-the-land binaries) or script interpreters
- Correlate Microsoft-Windows-Application-Error events for Excel with subsequent process creation or network activity
- Inspect inbound email attachments and SharePoint uploads for anomalous Excel files containing embedded OLE objects or unusual stream structures
Monitoring Recommendations
- Forward Sysmon Event IDs 1 (process create), 7 (image load), and 11 (file create) for EXCEL.EXE to your SIEM
- Track Windows Defender Exploit Guard and Attack Surface Reduction (ASR) telemetry for Office child-process blocks
- Monitor endpoints for repeated Excel crashes that may indicate exploitation attempts or unstable shellcode
How to Mitigate CVE-2026-26107
Immediate Actions Required
- Apply Microsoft's March 2026 security updates referenced in the Microsoft Security Update CVE-2026-26107 advisory to all affected Office installations
- Prioritize patching for users who routinely receive external Excel attachments, such as finance, procurement, and executive staff
- Enable Microsoft Defender Attack Surface Reduction rules that block Office applications from creating child processes and executable content
- Confirm Office Online Server instances are updated, since server-side rendering is in scope
Patch Information
Microsoft released fixes through standard channels for Microsoft 365 Apps, Excel 2016, Office 2019, Office LTSC 2021, Office LTSC 2024 (Windows and macOS), and Office Online Server. Validate update deployment using the build numbers listed in the MSRC advisory and ensure both x86 and x64 packages are covered. EPSS currently rates the exploitation probability at 0.068%, but unpatched Office endpoints remain attractive initial-access targets.
Workarounds
- Configure Protected View and Office Trust Center to block macros and active content from the internet and email attachments
- Open untrusted spreadsheets in Excel for the web or a sandboxed virtual machine until patches are applied
- Restrict execution of Office child processes using AppLocker or Windows Defender Application Control policies
- Use email gateway controls to strip or detonate Excel attachments from untrusted senders
# Enable Microsoft Defender ASR rule: Block Office apps from creating child processes
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
# Enable ASR rule: Block Office apps from creating executable content
Set-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
