The January 2026 Patch Tuesday brought one of the month’s nastiest bugs for Microsoft Office users: CVE-2026-20953, a remote code execution (RCE) flaw rated critical with a CVSS score of 8.4. The severity is bad enough, but the real worry is where it gets in: the Preview Pane.
What the vulnerability is
CVE-2026-20953 lets an attacker run code remotely in Microsoft Office. The attacker crafts a booby-trapped Office document and gets it to the victim with a bit of social engineering: email, a chat message, a download. Once Office processes that document, the attacker can run arbitrary code with the privileges of whoever was using the machine.
Here is the part that stings: the Preview Pane works as an attack vector. Exploitation does not require the victim to open the file. Just rendering the document in the preview of apps like Outlook or Windows File Explorer can be enough to fire the malicious code. That cuts the user interaction needed down to almost nothing, and with it the barrier to a successful attack.
It does not travel alone. Its twin, CVE-2026-20952, shares the exact same profile: the same CVSS score of 8.4, the same critical rating, and the same Preview Pane vector. Both sit among the six critical RCE vulnerabilities fixed in this Patch Tuesday.
Who is affected
The flaw hits installations of Microsoft Office, which runs everywhere, in both corporate and home setups on Windows. If you receive documents from sources you do not control, you are in the risk range, and even more so if your email client has the Preview Pane enabled. Office is so widespread that the exposure surface is enormous.
Severity
Microsoft tagged exploitation as “Exploitation Less Likely,” but that label falls short once you look at the actual vector. A critical RCE flaw that fires through the Preview Pane, with no need to open the file, deserves top priority. Code execution with the user’s privileges is often the first link in a chain that ends in full compromise of the machine.
Mitigation and patch
The main, definitive move is to apply Microsoft’s security updates from the January 2026 Patch Tuesday via Windows Update or corporate deployment channels (WSUS, Intune, etc.). Until the patch is in place, it helps to:
- Disable the Preview Pane in Outlook and in Windows File Explorer.
- Open untrusted documents in Protected View.
- Tighten email filtering and awareness around suspicious attachments.
If you run servers or workstations and want to harden the system beyond patching, our article on SELinux and AppArmor covers mandatory access controls on Linux. And if you manage a mixed fleet, take a look at the Windows Desktop page too.