Microsoft released 83 common vulnerabilities and exposures in March, with two listed as publicly known and none under active exploitation, including a critical information disclosure vulnerability in Microsoft Excel.
This Excel flaw, designated CVE-2026-26144, allows an attacker to cause the Copilot Agent to exfiltrate data via unintended network egress without user interaction. The vulnerability has significant implications for corporate environments where Excel files often contain sensitive financial data and intellectual property.
Zero Day Initiative chief bug hunter Dustin Childs described the vulnerability as “fascinating.” Childs noted that “an attack scenario we’re likely to see more often” now involves AI-assisted exploitation.
Microsoft stated that CVE-2026-26144 requires network access to exploit but no user interaction or privilege escalation. Action1 CEO Alex Vovk stated that information disclosure vulnerabilities are especially dangerous in corporate settings because attackers could silently extract confidential information without triggering obvious alerts.
Two other critical Office remote code execution bugs, CVE-2026-26110 and CVE-2026-26113, can be triggered via the Preview Pane. This mechanism allows an attacker to exploit the system without a user fully opening a malicious file.
CVE-2026-26110 is a type confusion flaw in Microsoft Office that allows a remote attacker to execute code locally. CVE-2026-26113 is an untrusted pointer dereference flaw that also allows remote attackers to execute code locally.
Jack Bicer, director of vulnerability research at Action1, stated that when a document preview triggers code execution, attackers gain a doorway directly into the system. Childs stated that these Preview Pane exploits have become increasingly common over the last year and it is just a matter of time until they appear in active exploits.
Two vulnerabilities are listed as publicly known but not exploited. CVE-2026-26127 is an out-of-bounds read issue in .NET that allows an unauthorized attacker to deny service over a network. Microsoft assessed that exploitation is unlikely.
CVE-2026-21262 is an improper access control flaw in SQL Server allowing an authorized attacker to elevate privileges over a network. Microsoft stated this flaw is “less likely” to be exploited in the wild.
Microsoft released a total of eight critical-rated CVEs in March. None of the vulnerabilities released in March are currently under active exploitation.
