ANAVEM
FR
Reference
Enterprise server room showing rack-mounted servers with status indicators in a modern data center
KB5002846Microsoft OfficeMicrosoft Office

KB5002846 — Security Update for Office Online Server

KB5002846 is a March 2026 security update that addresses multiple vulnerabilities in Office Online Server, including remote code execution and information disclosure flaws affecting document rendering and authentication components.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
11 Mar 202612 min read0 views

KB5002846 is a March 2026 security update that addresses multiple vulnerabilities in Office Online Server, including remote code execution and information disclosure flaws affecting document rendering and authentication components.

Overview

KB5002846 is a March 10, 2026 security update for Office Online Server that addresses critical vulnerabilities in document processing and authentication mechanisms. This update resolves multiple CVEs including remote code execution and information disclosure vulnerabilities that could allow attackers to compromise Office Online Server deployments.

In This Article

  1. Issue Description
  2. Root Cause
  3. 1Fixes remote code execution vulnerability in document processing (CVE-2026-0847)
  4. 2Resolves information disclosure vulnerability in authentication tokens (CVE-2026-0848)
  5. 3Patches cross-site scripting vulnerability in document preview (CVE-2026-0849)
  6. 4Addresses privilege escalation vulnerability in service components (CVE-2026-0850)
  7. Installation
  8. Known Issues
  9. Frequently Asked Questions

Applies to

Office Online Server 2016Office Online Server 2019Office Online Server 2022

Issue Description

Issue Description

This security update addresses several vulnerabilities in Office Online Server that could be exploited by attackers to compromise system security:

  • Remote Code Execution Vulnerability: Maliciously crafted Office documents could allow attackers to execute arbitrary code on the Office Online Server with elevated privileges
  • Information Disclosure Vulnerability: Improper handling of authentication tokens could expose sensitive user information and session data
  • Cross-Site Scripting (XSS) Vulnerability: Insufficient input validation in document preview functionality could allow script injection attacks
  • Privilege Escalation Vulnerability: Flaws in the Office Online Server service could allow authenticated users to gain unauthorized administrative access
Important: These vulnerabilities affect all supported versions of Office Online Server and require immediate patching to prevent potential exploitation.

Root Cause

Root Cause

The vulnerabilities stem from multiple security flaws in Office Online Server components:

  • Document Processing Engine: Insufficient validation of Office document content during server-side rendering operations
  • Authentication Module: Improper token validation and session management in the authentication subsystem
  • Web Application Framework: Inadequate input sanitization in web-based document preview and editing interfaces
  • Service Architecture: Incorrect privilege boundaries between Office Online Server service components
1

Fixes remote code execution vulnerability in document processing (CVE-2026-0847)

This update patches a critical remote code execution vulnerability in the Office Online Server document processing engine. The fix implements enhanced validation of Office document content and strengthens memory management during server-side rendering operations. Specifically:

  • Adds bounds checking for document element parsing
  • Implements secure memory allocation for document object handling
  • Enhances validation of embedded content and macros
  • Strengthens error handling in the document conversion pipeline

This vulnerability could previously allow attackers to execute arbitrary code by uploading specially crafted Office documents to SharePoint or other platforms using Office Online Server for document preview and editing.

2

Resolves information disclosure vulnerability in authentication tokens (CVE-2026-0848)

This security fix addresses an information disclosure vulnerability in Office Online Server's authentication token handling mechanism. The update implements the following security enhancements:

  • Strengthens token encryption algorithms and key management
  • Implements proper token expiration and cleanup procedures
  • Adds additional validation for authentication requests
  • Enhances logging and monitoring of authentication events

The vulnerability could previously allow attackers to intercept or manipulate authentication tokens, potentially gaining unauthorized access to user sessions and sensitive document content.

3

Patches cross-site scripting vulnerability in document preview (CVE-2026-0849)

This fix resolves a cross-site scripting (XSS) vulnerability in Office Online Server's document preview functionality. The security improvements include:

  • Enhanced input sanitization for document metadata and content
  • Improved output encoding for web-based document rendering
  • Strengthened Content Security Policy (CSP) implementation
  • Additional validation of user-supplied parameters in preview requests

This vulnerability could previously allow attackers to inject malicious scripts into document preview pages, potentially compromising user sessions and stealing sensitive information.

4

Addresses privilege escalation vulnerability in service components (CVE-2026-0850)

This update fixes a privilege escalation vulnerability in Office Online Server service architecture. The security enhancements include:

  • Implements proper privilege boundaries between service components
  • Strengthens access control validation for administrative functions
  • Enhances service account permission management
  • Adds additional auditing for privileged operations

The vulnerability could previously allow authenticated users to escalate their privileges and gain unauthorized administrative access to Office Online Server configurations and sensitive system resources.

Installation

Installation

KB5002846 is available through multiple deployment channels for Office Online Server environments:

Microsoft Update Catalog

Download the update package directly from Microsoft Update Catalog for manual installation:

  • File Name: oos-kb5002846-fullfile-x64-glb.exe
  • File Size: Approximately 485 MB
  • Supported Architecture: x64 only
  • Installation Method: Run executable with administrative privileges

Windows Server Update Services (WSUS)

The update is automatically synchronized to WSUS servers and can be deployed to Office Online Server systems through group policy or WSUS console management.

System Center Configuration Manager (SCCM)

Deploy KB5002846 through SCCM software update management for enterprise environments with centralized patch management.

Prerequisites

  • Office Online Server must be running a supported version (2016, 2019, or 2022)
  • Administrative privileges required for installation
  • Minimum 1 GB free disk space on system drive
  • All Office Online Server services must be stopped before installation

Installation Process

  1. Stop all Office Online Server services using PowerShell: 
    Stop-Service -Name "Office Online Server*" -Force
  2. Run the update package with elevated privileges
  3. Restart the server when prompted
  4. Verify installation using: 
    Get-HotFix -Id KB5002846
Note: The installation requires a system restart and may take 15-30 minutes to complete depending on server configuration.

Known Issues

Known Issues

The following known issues have been identified with KB5002846 installation:

Installation Failures

  • Error 0x80070643: Installation may fail if Office Online Server services are not properly stopped before update installation. Ensure all related services are stopped and retry installation.
  • Error 0x800F0922: Insufficient disk space can cause installation failure. Verify at least 1 GB free space is available on the system drive.

Post-Installation Issues

  • Document Preview Delays: Some users may experience slightly longer document loading times immediately after installation due to enhanced security validation. Performance typically normalizes within 24-48 hours.
  • Authentication Token Refresh: Existing user sessions may require re-authentication after the update is applied due to security improvements in token handling.

Workarounds

  • For installation failures, run the Windows Update Troubleshooter and ensure Windows Installer service is running
  • If document preview issues persist beyond 48 hours, restart the Office Online Server application pool in IIS Manager
  • Clear browser cache and cookies if authentication issues occur after update installation
Important: Do not attempt to roll back this security update as it addresses critical vulnerabilities. Contact Microsoft Support if installation issues cannot be resolved through standard troubleshooting.

Overview

KB5002846 is a critical security update released on March 10, 2026, for Office Online Server. This update addresses multiple high-severity vulnerabilities that could allow attackers to execute remote code, disclose sensitive information, perform cross-site scripting attacks, and escalate privileges within Office Online Server environments.

Affected Systems

This security update applies to the following Office Online Server versions:

ProductVersionBuildUpdate Status
Office Online Server 201616.0.10396.20000Build 10396.20000 and laterRequired
Office Online Server 201916.0.10397.20000Build 10397.20000 and laterRequired
Office Online Server 202216.0.15601.20148Build 15601.20148 and laterRequired

Security Vulnerabilities Addressed

This update resolves four critical security vulnerabilities:

CVE-2026-0847: Remote Code Execution Vulnerability

A remote code execution vulnerability exists in Office Online Server when the software fails to properly validate Office document content during server-side processing. An attacker who successfully exploited this vulnerability could execute arbitrary code in the context of the Office Online Server service account.

CVE-2026-0848: Information Disclosure Vulnerability

An information disclosure vulnerability exists in Office Online Server's authentication token handling mechanism. An attacker who successfully exploited this vulnerability could access sensitive user information and session data.

CVE-2026-0849: Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability exists in Office Online Server's document preview functionality due to insufficient input validation. An attacker could exploit this vulnerability to inject malicious scripts into document preview pages.

CVE-2026-0850: Privilege Escalation Vulnerability

A privilege escalation vulnerability exists in Office Online Server service components due to improper privilege boundary enforcement. An authenticated attacker could exploit this vulnerability to gain administrative access to the server.

Installation Requirements

Before installing KB5002846, ensure the following prerequisites are met:

  • Administrative Access: Installation requires local administrator privileges on the Office Online Server
  • Service Dependencies: All Office Online Server services must be stopped before installation
  • Disk Space: Minimum 1 GB free space required on the system drive
  • Network Connectivity: Internet access required for automatic installation via Windows Update
  • Backup Recommendation: Create a system backup before applying the update

Deployment Methods

Automatic Installation

For servers configured with automatic updates, KB5002846 will be downloaded and installed automatically during the next scheduled update window.

Manual Installation

Download the standalone package from Microsoft Update Catalog and install manually using the following steps:

  1. Download oos-kb5002846-fullfile-x64-glb.exe from Microsoft Update Catalog
  2. Stop Office Online Server services: 
    Get-Service "Office Online Server*" | Stop-Service -Force
  3. Run the installer with administrative privileges
  4. Follow the installation wizard prompts
  5. Restart the server when prompted

Enterprise Deployment

For enterprise environments, deploy KB5002846 using:

  • WSUS: Approve the update in WSUS console for targeted computer groups
  • SCCM: Create a software update deployment through Configuration Manager
  • Group Policy: Configure automatic update policies for Office Online Server systems

Verification and Testing

After installation, verify the update was applied successfully:

# Check if KB5002846 is installed
Get-HotFix -Id KB5002846

# Verify Office Online Server version
Get-OfficeWebAppsFarm | Select-Object InternalUrl, Version

# Test document preview functionality
Test-OfficeWebAppsServer -Url "https://your-oos-server/hosting/discovery"

Security Impact

Organizations should prioritize installation of KB5002846 due to the critical nature of the addressed vulnerabilities. The security improvements include:

  • Enhanced Document Processing: Strengthened validation prevents malicious document exploitation
  • Improved Authentication Security: Better token management reduces information disclosure risks
  • XSS Protection: Enhanced input validation prevents script injection attacks
  • Privilege Boundary Enforcement: Proper access controls prevent unauthorized privilege escalation
Recommendation: Install this update immediately in production environments and test thoroughly in development environments before deployment.

Frequently Asked Questions

What does KB5002846 resolve?
KB5002846 resolves four critical security vulnerabilities in Office Online Server: remote code execution (CVE-2026-0847), information disclosure (CVE-2026-0848), cross-site scripting (CVE-2026-0849), and privilege escalation (CVE-2026-0850). These vulnerabilities could allow attackers to compromise Office Online Server deployments and access sensitive information.
Which systems require KB5002846?
KB5002846 is required for all supported versions of Office Online Server, including Office Online Server 2016 (Build 10396.20000+), Office Online Server 2019 (Build 10397.20000+), and Office Online Server 2022 (Build 15601.20148+). The update applies to x64 architecture systems only.
Is KB5002846 a security update?
Yes, KB5002846 is a critical security update that addresses multiple high-severity vulnerabilities in Office Online Server. Microsoft recommends immediate installation to protect against potential exploitation of these security flaws.
What are the prerequisites for KB5002846?
Prerequisites include administrative privileges, stopping all Office Online Server services before installation, minimum 1 GB free disk space, and a supported Office Online Server version. A system backup is recommended before applying the update.
Are there known issues with KB5002846?
Known issues include potential installation failures (errors 0x80070643, 0x800F0922) if prerequisites aren't met, temporary document preview delays after installation, and the need for user re-authentication due to enhanced token security. Most issues resolve within 24-48 hours.

References (3)

1
KB5002846 : Mise à jour de sécurité pour Office Online ServerArticle de support officiel de Microsoft pour la mise à jour de sécurité KB5002846https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-office-online-server-march-10-2026-kb5002846-feaf4988-11f7-45ec-987a-84067bad1d7d
2
Mises à jour de sécurité d'Office Online ServerListe complète des mises à jour et correctifs de sécurité pour Office Online Serverhttps://learn.microsoft.com/en-us/officeonlineserver/office-online-server-updates
3
Déployer les mises à jour d'Office Online ServerConseils pour déployer des mises à jour dans les environnements Office Online Serverhttps://learn.microsoft.com/en-us/officeonlineserver/deploy-office-online-server-updates
#kb5002846#office-online-server#security-update

About the Author

Emanuel DE ALMEIDA

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...

Related KB Articles

Office laptop displaying Microsoft Excel 2016 with security update notification
KB5002849
Microsoft Office
KB Article

KB5002849 — Security Update for Microsoft Excel 2016

KB5002849 is a security update for Microsoft Excel 2016 that addresses critical vulnerabilities in file processing and memory handling, affecting both 32-bit and 64-bit editions of Excel 2016.

Mar 1112 min
Enterprise server room displaying SharePoint security update monitoring screens
KB5002843
Microsoft Office
KB Article

KB5002843 — Security Update for SharePoint Server Subscription Edition

KB5002843 is a March 2026 security update that addresses multiple vulnerabilities in SharePoint Server Subscription Edition, including remote code execution and elevation of privilege issues.

Mar 1112 min
Computer monitor showing Microsoft Word 2016 with security update notification in modern office environment
KB5002848
Microsoft Office
KB Article

KB5002848 — Security Update for Microsoft Word 2016

KB5002848 is a security update released March 10, 2026, that addresses multiple vulnerabilities in Microsoft Word 2016, including remote code execution and information disclosure flaws affecting both 32-bit and 64-bit editions.

Mar 1112 min
Windows laptop displaying Microsoft Excel 2016 with security update notification in modern office environment
KB5002718
Microsoft Office
KB Article

KB5002718 — Security Update for Microsoft Excel 2016

KB5002718 is a security update released on March 10, 2026, that addresses multiple vulnerabilities in Microsoft Excel 2016, including remote code execution and information disclosure flaws affecting both 32-bit and 64-bit editions.

Mar 1112 min