- Microsoft’s latest Patch Tuesday release fixes 83 bugs
- Including an Excel bug that allows AI-powered no-click data theft
- Update urged to block exfiltration via Copilot assistant
Microsoft’s March 2026 Patch Tuesday release fixed a high-severity vulnerability in Excel, which combines old cross-site scripting (XSS) with indirect fast injection for data exfiltration via Artificial Intelligence (AI).
Since AI put a new spin on an old vulnerability, some security researchers described it as “fascinating,” and the fact that it was a “zero-click” attack didn’t help matters either.
In its security advisory, Microsoft described the bug as an “improper input neutralization” vulnerability that occurs during the generation of a web page, allowing unauthorized attackers to reveal information over a network. It is now tracked as CVE-2026-26144 and has been assigned a severity score of 7.5/10 (high).
Article continues below.
Patches and solutions
The error revolves around Excel incorrectly neutralizing the input. Typically, when a threat actor submits an Excel file that contains a malicious link or similar, the program must neutralize that entry by deleting the link or removing the malicious content. However, since the program does not do this correctly, the entry can be executed even if the victim does not actually open the file, but simply views it in the preview pane.
Now we add AI to the mix. Newer versions of Excel come with Microsoft’s GenAI assistant, Copilot. If the malicious input tells the AI to extract sensitive data to a third-party server and Excel does not neutralize it in time, the task can be executed even from the preview pane.
The best way to do this is to simply deploy the update. However, if you can’t do this right away, you can restrict outgoing traffic from Office applications and keep a close eye on network requests from Excel processes. Disabling Copilot Agent might also help.
While this bug grabbed all the headlines, it’s not the only one fixed in this month’s patch. In fact, Microsoft cleaned up a total of 83 vulnerabilities, including eight that the software maker deemed critical.
Through The Registry
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
