Outlook vulnerability runs malicious code without opening the email
CVE-2026-26113 and CVE-2026-26110 allow code execution just by viewing an email in the Preview Pane.
Two critical Microsoft Office vulnerabilities were patched in March. CVE-2026-26113 and CVE-2026-26110 both carry CVSS 8.8 and allow remote code execution through Outlook's Preview Pane. You do not need to open the attachment. You do not need to click. The email just needs to render.
CVE-2026-26113 is an untrusted pointer dereference. CVE-2026-26110 is a type confusion bug. Both cause memory corruption in Office's file parsing components that an attacker can redirect to their own code.
Why this matters
In a typical SMB environment with 15-30 users, most people sit in Outlook all day with Preview Pane enabled. An attacker only needs to send one email — it does not even need to be convincing. The preview triggers the exploit automatically.
Word, Excel, PowerPoint, and Outlook are all affected. Defender for Office 365 with Safe Attachments reduces the risk, but the patch is the only complete fix.
Do this now
- Deploy March updates via Intune. Verify all devices have received the patch
- Confirm Safe Attachments is enabled in Defender for Office 365. It scans attachments before rendering
- Consider temporarily disabling Preview Pane on unpatched devices
- Check Intune compliance reports for devices that have not updated
These are the kind of bugs used in targeted attacks against specific companies. The Preview Pane vector makes the bar extremely low.
We can check your environment
We offer emergency patch verification (1-2 hours) where we confirm your devices are updated and Defender is configured to protect against this class of attack. Get in touch.
Sources: Krebs on Security, Zero Day Initiative