CVE-2026-26134 Overview
CVE-2026-26134 is an integer overflow vulnerability in Microsoft Office that allows an authorized local attacker to elevate privileges. The flaw maps to [CWE-190] Integer Overflow or Wraparound and affects the Android distribution of Microsoft Office. An attacker with low-level local access can trigger arithmetic wraparound conditions that lead to memory corruption and subsequent privilege escalation. Microsoft published the advisory on March 10, 2026, with a CVSS 3.1 base score of 7.8.
Critical Impact
Successful exploitation grants the attacker high impact on confidentiality, integrity, and availability through local privilege escalation in Microsoft Office.
Affected Products
- Microsoft Office (Android distribution)
- Microsoft Office components identified by cpe:2.3:a:microsoft:office:*:*:*:*:*:android:*:*
- Office installations referenced in the Microsoft CVE-2026-26134 Advisory
Discovery Timeline
- 2026-03-10 - Microsoft publishes the CVE-2026-26134 advisory
- 2026-03-10 - CVE-2026-26134 published to NVD
- 2026-03-13 - Last updated in NVD database
Technical Details for CVE-2026-26134
Vulnerability Analysis
The vulnerability stems from improper handling of integer arithmetic within Microsoft Office on Android. When the application processes specific input values, an arithmetic operation exceeds the maximum representable value and wraps around to a smaller or negative number. This wraparound undermines subsequent size calculations, buffer allocations, or bounds checks that depend on the result. The flaw is classified under [CWE-190] Integer Overflow or Wraparound.
The attack vector is local and requires an authorized user context. An attacker who can run code on the device, or convince a low-privileged user to open a crafted Office document, can drive the vulnerable arithmetic path. Once the wraparound occurs, downstream memory operations corrupt adjacent structures and yield elevated privileges in the Office process context.
The EPSS score is 0.041%, indicating low predicted exploitation activity at publication. No public proof-of-concept code or in-the-wild exploitation has been reported, and the CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.
Root Cause
The root cause is missing or insufficient validation of integer values used in size or index calculations. When inputs exceed implicit bounds, the affected routine produces a truncated or wrapped value rather than rejecting the operation. The resulting undersized allocation or miscalculated offset leads to memory safety violations exploitable for privilege elevation.
Attack Vector
Exploitation requires local access and low privileges, with no user interaction beyond the attacker's own context. The adversary delivers crafted data to a vulnerable Office code path on Android. Triggering the overflow corrupts process state and elevates privileges within the Office application's trust boundary. See the Microsoft CVE-2026-26134 Advisory for vendor-specific technical context.
Detection Methods for CVE-2026-26134
Indicators of Compromise
- Unexpected crashes or abnormal terminations of Microsoft Office processes on Android devices, particularly when opening attacker-supplied documents.
- Office process spawning unusual child processes or accessing files outside its normal sandbox scope.
- Mobile device management (MDM) alerts showing unauthorized configuration changes or escalated permissions tied to the Office app.
Detection Strategies
- Monitor mobile threat defense telemetry for anomalous behavior in the Microsoft Office Android package, including memory faults and unexpected privilege requests.
- Correlate document open events with subsequent permission changes or sensitive data access by the Office process.
- Deploy behavioral identification on managed mobile endpoints to flag exploitation patterns associated with integer overflow primitives.
Monitoring Recommendations
- Enforce MDM logging for Microsoft Office version inventory and patch level across the managed fleet.
- Alert on Office app version strings that remain below the patched build referenced in the Microsoft advisory.
- Track document delivery channels such as email, messaging, and cloud storage that introduce untrusted files into Office on Android.
How to Mitigate CVE-2026-26134
Immediate Actions Required
- Apply the Microsoft Office update referenced in the Microsoft CVE-2026-26134 Advisory across all Android devices with Office installed.
- Inventory managed mobile devices and identify Office installations that are not yet on the patched version.
- Restrict opening of Office documents from untrusted sources until patching is complete across the fleet.
Patch Information
Microsoft has published guidance for CVE-2026-26134 through the Microsoft Security Response Center. Administrators should consult the Microsoft CVE-2026-26134 Advisory for the fixed build numbers and update the Microsoft Office Android application through the Google Play Store or enterprise MDM channels.
Workarounds
- Limit installation of Microsoft Office on Android to devices enrolled in MDM with enforced update policies.
- Use mobile application management policies to block opening of documents from unmanaged sources.
- Disable preview or auto-open functionality for Office attachments in mobile email clients until patches are applied.
# Configuration example: enforce minimum Office app version via Microsoft Intune
# Set the required minimum app version policy for the Microsoft Office Android package
# Replace <PATCHED_VERSION> with the fixed build from the Microsoft advisory
New-IntuneAppProtectionPolicy `
-DisplayName "Office-Android-CVE-2026-26134" `
-Apps "com.microsoft.office.officehubrow" `
-MinAppVersion "<PATCHED_VERSION>" `
-MinAppVersionAction "block"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
