Description
Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.
Published: 2026-03-10
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Microsoft Office is vulnerable to type‑confusion because a resource is accessed using an incompatible type. The flaw enables an attacker to trigger execution of arbitrary code on the local machine. The impact is local code execution as confirmed by the vendor description, and the weakness is classified as CWE‑843, Type Confusion.

Affected Systems

The vulnerability affects Microsoft 365 Apps for Enterprise, Microsoft Office 2016, 2019, LTSC 2021, LTSC 2024, LTSC for Mac 2021, LTSC for Mac 2024, and Office for Android. No specific affected patch or version numbers are supplied in this record, so the full set of releases listed in the vendor data is considered potentially vulnerable.

Risk and Exploitability

The CVSS score of 8.4 indicates a high severity while the EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not currently listed in the CISA KEV catalog. The attack vector is likely local; an attacker would need to supply or supply a malicious document or other payload that triggers the type‑confusion. The description does not explicitly state the method of delivery, so this assessment is inferred from the nature of the flaw and typical Office exploitation mechanisms.

Generated by OpenCVE AI on March 16, 2026 at 23:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Review Microsoft’s update guide (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26110) and apply the latest security patches for the affected Office products.
  • If a patch is not immediately available, avoid opening unknown or suspicious Office documents until a fix is released.
  • Monitor Microsoft’s security advisories for any interim work‑arounds or additional guidance.

Generated by OpenCVE AI on March 16, 2026 at 23:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft office Long Term Servicing Channel
CPEs cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*
cpe:2.3:a:microsoft:office:*:*:*:*:*:android:*:*
cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:macos:*:*
Vendors & Products Microsoft office Long Term Servicing Channel

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.
Title Microsoft Office Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office
Microsoft office 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Weaknesses CWE-843
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office:*:*:android:*:*:*:*:*
cpe:2.3:a:microsoft:office_2016:*:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office
Microsoft office 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Office Office 2016 Office 2019 Office 2021 Office 2024 Office Long Term Servicing Channel Office Macos 2021 Office Macos 2024
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-03-27T22:33:16.377Z

Reserved: 2026-02-11T15:52:13.910Z

Link: CVE-2026-26110

cve-icon Vulnrichment

Updated: 2026-03-10T19:47:36.529Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:39.480

Modified: 2026-03-13T16:20:04.433

Link: CVE-2026-26110

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:34:03Z

Weaknesses