Critical Office RCE vulnerabilities — the Preview Pane is the attack surface

Microsoft patched two critical vulnerabilities in Office during March Patch Tuesday — CVE-2026-26110 and CVE-2026-26113, both CVSS 8.4. Here is what it means for SMBs running M365 Business Premium.

What happened

Both vulnerabilities are type confusion and untrusted pointer dereference flaws in Office document processing. The dangerous part: an attacker can execute arbitrary code on your machine just by having you preview a document in the Outlook or Windows Explorer preview pane. You don't even need to open the file.

Word, Excel, PowerPoint, and Outlook are all affected. Any version without the March patch is vulnerable.

Why it matters for SMBs

If your employees use Outlook desktop — and most do — all it takes is an email with a malicious Office attachment landing in the inbox. The preview pane renders the file automatically. That is the attack surface.

CrowdStrike and the Zero Day Initiative both assess these vulnerabilities as "exploitation more likely." Active attacks are expected soon, if not already underway.

What you should do

Three things, in priority order:

1. Verify March Patch Tuesday is installed on all endpoints. Check via Intune > Device compliance or run a manual check through the Microsoft 365 Apps admin center.

2. Disable the preview pane in Outlook as an interim workaround if you cannot patch immediately. Go to View > Reading Pane > Off.

3. Confirm automatic updates are working in Intune. If you have update rings configured, make sure M365 Apps are included and the March update has not been blocked.

How HaggeBurger can help

We offer a quick patch verification (1-2 hours) where we confirm all your endpoints have the correct updates. For customers who want to go deeper, we do an M365 Apps security review covering patch status, update rings, and configuration.

Want us to check your environment? Get in touch.