The Office 'local' loophole — why Microsoft's latest 'Critical' patches aren't just for IT pros

Microsoft 365 app on Windows 11 with shortcuts to create documents in Word, PowerPoint, Excel, and other Microsoft 365 applications.
Microsoft Office users need to install security patches to protect their PCs against a pair of critical vulnerabilities. (Image credit: Future)

The second Tuesday of each month is known as Patch Tuesday. Windows 11's Patch Tuesday update included a bunch of good upgrades — a welcome change from the issues that plagued the OS recently. But another flagship Microsoft product, Office, had a pair of vulnerabilities flagged.

Codenamed CVE-2026-26110 and CVE-2026-26113, the vulnerabilities could be used to execute code locally. Both vulnerabilties require local access, making them harder to exploit.

If an attacker gain local access to your PC, they have a better chance of being able to do damage or steal data. While Microsoft notes that "local access" makes them harder to exploit than a typical web-based attack, there is a major catch for the average user.

Latest Videos From

When 'Local' isn't really local

Microsoft titling these as "Remote Code Execution" while requiring "Local Access" seems like a contradiction. Microsoft explains the distinction this way:

"The word Remote in the title refers to the location of the attacker... The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability."

In other words, an attacker could send you a file remotely but the file would need to be processed locally.

The catch is that since the Office Preview Pane is a valid attack vector for these vulnerabilities, a local user does not need to double-click a file or "Enable Macros" to be at risk. Simply clicking an email to see its preview in Outlook is enough to "locally process" the file and let the attacker in.

How to stay safe

Microsoft has already released patches for all supported versions of Office. If you’re still running Office 2013 (which is now past its end-of-support date), you won't be receiving this fix.

To secure your system:

  • Open Windows Update and check for the latest updates.
  • Ensure the latest Microsoft 365 or Office 2016/2019/2021 updates are installed.
  • If you can't patch immediately, consider disabling the Preview Pane in Outlook and File Explorer (this can be done through the View menu).

If you head over to the Microsoft Security Response Center (MSRC), you'll see hundreds of security advisories that were published on March 10, many of which are marked as "Important."

The Office vulnerabilities highlighted here are among a much smaller set that are marked as "Critical."

It's worth updating to address all the vulnerabilities, of course. To make sure your PC is secure, ensure that Windows and Office have been updated to their most recent versions.

🗨️ How do you handle security updates?

Microsoft’s automatic update system is the unsung hero of Windows security, handling thousands of fixes like this every year behind the scenes. Do you trust the "set it and forget it" approach, or do you still prefer to manually check your update history just to be sure everything landed correctly? Let us know in the comments!


Click to join us on r/WindowsCentral

Join us on Reddit at r/WindowsCentral to share your insights and discuss our latest news, reviews, and more.


Sean Endicott
News Writer

Sean Endicott is a News Writer at Windows Central, where he covers Windows 11, Surface hardware, Microsoft 365, AI, apps, and the broader PC ecosystem. Since joining the site in 2017, he has written well over a thousand articles across the Microsoft landscape, covering breaking news, analysis, and feature reporting.

He writes Windows Wrap, a weekly column covering the biggest stories in Windows and the PC industry, and what they mean for the platform going forward.

Before joining Windows Central full-time, Sean worked in journalism and media production after earning a First Class degree in Broadcast Journalism from Nottingham Trent University. Outside of tech, he is an award-winning American football coach based in Nottingham, England, and was named BAFCA Youth Coach of the Year in 2024.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.