CVE-2026-26110 is a vulnerability classified under CWE-843 (Access of Resource Using Incompatible Type, or type confusion) affecting Microsoft 365 Apps for Enterprise, specifically version 16.0.1. The vulnerability allows an attacker to exploit improper type handling within the application, enabling access to resources using incompatible types. This leads to the possibility of executing arbitrary code locally on the affected system without requiring any privileges or user interaction. The vulnerability is rated with a CVSS 3.1 score of 8.4 (high severity), reflecting its significant impact on confidentiality, integrity, and availability. The attack vector is local (AV:L), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The scope is unchanged (S:U), meaning the impact is confined to the vulnerable component. Although no public exploits are known yet, the vulnerability's characteristics make it a serious threat, especially in environments where attackers can gain local access through other means. The lack of available patches at the time of publication necessitates immediate attention to monitoring and mitigation strategies. This vulnerability underscores the importance of secure type handling in complex software like Microsoft 365 Apps, which are widely deployed in enterprise environments.

The vulnerability allows unauthorized local attackers to execute arbitrary code with the privileges of the current user, potentially leading to full system compromise. This can result in unauthorized data access, modification, or deletion (confidentiality and integrity impact), as well as disruption of services (availability impact). Since Microsoft 365 Apps for Enterprise is widely used in corporate environments, exploitation could facilitate lateral movement within networks, data exfiltration, or deployment of further malware. The absence of required privileges or user interaction lowers the barrier for exploitation once local access is achieved, increasing risk in environments with shared or poorly secured endpoints. The overall impact is significant for organizations relying on Microsoft 365 productivity tools, potentially affecting business continuity, regulatory compliance, and sensitive information security.

Organizations should immediately inventory affected Microsoft 365 Apps for Enterprise versions and plan for rapid deployment of security updates once patches are released by Microsoft. Until patches are available, implement strict application whitelisting and endpoint protection controls to prevent execution of unauthorized code. Employ least privilege principles to limit user permissions, reducing the impact of local exploits. Monitor local system activity for unusual behavior indicative of exploitation attempts, such as unexpected process launches or code injections. Consider isolating critical systems and enforcing network segmentation to limit lateral movement from compromised endpoints. Regularly update and audit security configurations and educate users about the risks of local compromise. Engage with Microsoft support channels for any interim mitigations or workarounds. Finally, maintain robust incident response plans to quickly address any exploitation attempts.