The Office 'local' loophole — why Microsoft's latest 'Critical' patches aren't just for IT pros

The second Tuesday of each month is known as Patch Tuesday. Windows 11's Patch Tuesday update included a bunch of good upgrades — a welcome change from the issues that plagued the OS recently. But another flagship Microsoft product, Office, had a pair of vulnerabilities flagged.

Codenamed CVE-2026-26110 and CVE-2026-26113, the vulnerabilities could be used to execute code locally. Both vulnerabilties require local access, making them harder to exploit.

If an attacker gain local access to your PC, they have a better chance of being able to do damage or steal data. While Microsoft notes that "local access" makes them harder to exploit than a typical web-based attack, there is a major catch for the average user.

When 'Local' isn't really local

Microsoft titling these as "Remote Code Execution" while requiring "Local Access" seems like a contradiction. Microsoft explains the distinction this way:

"The word Remote in the title refers to the location of the attacker... The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability."

In other words, an attacker could send you a file remotely but the file would need to be processed locally.

The catch is that since the Office Preview Pane is a valid attack vector for these vulnerabilities, a local user does not need to double-click a file or "Enable Macros" to be at risk. Simply clicking an email to see its preview in Outlook is enough to "locally process" the file and let the attacker in.

How to stay safe

Microsoft has already released patches for all supported versions of Office. If you’re still running Office 2013 (which is now past its end-of-support date), you won't be receiving this fix.

To secure your system:

• Open Windows Update and check for the latest updates.
• Ensure the latest Microsoft 365 or Office 2016/2019/2021 updates are installed.
• If you can't patch immediately, consider disabling the Preview Pane in Outlook and File Explorer (this can be done through the View menu).

If you head over to the Microsoft Security Response Center (MSRC), you'll see hundreds of security advisories that were published on March 10, many of which are marked as "Important."

The Office vulnerabilities highlighted here are among a much smaller set that are marked as "Critical."

It's worth updating to address all the vulnerabilities, of course. To make sure your PC is secure, ensure that Windows and Office have been updated to their most recent versions.

🗨️ How do you handle security updates?

Microsoft’s automatic update system is the unsung hero of Windows security, handling thousands of fixes like this every year behind the scenes. Do you trust the "set it and forget it" approach, or do you still prefer to manually check your update history just to be sure everything landed correctly? Let us know in the comments!

Join us on Reddit at r/WindowsCentral to share your insights and discuss our latest news, reviews, and more.