Kaspersky Q1 2026 Report: New Microsoft Office Exploit Chain Bypasses Protected View
Kaspersky's Q1 2026 vulnerability report reveals a new exploit chain targeting Microsoft Office that bypasses Protected View using three CVEs, alongside a rise in exploit kit activity and persistent veteran exploits.
Kaspersky's Q1 2026 vulnerability report, published May 7, 2026, documents a significant evolution in the threat landscape, with exploit kits expanding to incorporate new vulnerabilities targeting Microsoft Office, Windows, and Linux. The report highlights a novel exploit chain that bypasses Microsoft Office's Protected View security feature, marking a sophisticated advancement in initial access techniques.
The exploit chain leverages three newly registered vulnerabilities: CVE-2026-21509 and CVE-2026-21514, which are security feature bypass flaws that allow specially crafted files to execute malicious code even when Protected View is enabled, and CVE-2026-21513, a vulnerability in the Internet Explorer MSHTML engine used to render HTML content. The chain was observed in attacks on Windows-based user systems, with the MSHTML flaw triggered via an LNK file. Kaspersky notes that while the combined exploit is noteworthy, its instability may limit widespread use decline, with individual vulnerabilities likely being repurposed as initial entry vectors in phishing campaigns.
Despite the emergence of these new exploits, veteran vulnerabilities continue to dominate detection statistics. CVE-2018-0802 and CVE-2017-11882, both remote code execution flaws in Microsoft Office's Equation Editor, remain prevalent alongside CVE-2017-0199 (Office/WordPad), CVE-2023-38831 (archive handling), and CVE-2025-6218 and CVE-2025-8088 (directory traversal issues). This persistence underscores the challenge of legacy software patching in enterprise environments.
On the Linux front, the report notes a decrease in exploit detections during Q1 2026 compared to the previous quarter, but detection rates are rising year-over-year. The most frequently exploited Linux vulnerabilities include CVE-2022-0847 (Dirty Pipe), CVE-2019-13272 (privilege inheritance), CVE-2021-22555 (Netfilter heap out-of-bounds), and CVE-2023-32233 (Netfilter use-after-free). Kaspersky emphasizes that timely patching remains critical for both platforms.
The report also analyzes overall vulnerability trends, noting a continued rise in total CVEs registered, driven in part by AI-assisted discovery. Critical vulnerabilities (CVSS > 8.9) showed a slight decrease from previous quarters but remain elevated due to high-profile issues like React2Shell, the release of mobile exploit frameworks, and secondary vulnerabilities uncovered during remediation efforts. Kaspersky hypothesizes that Q2 2026 may see a decline if these drivers subside.
Kaspersky's telemetry data draws from its telemetry and open sources, tracking exploit detections on user systems. The report underscores the importance of comprehensive patch management and user awareness, as exploit kits increasingly combine multiple vulnerabilities to bypass modern defenses. The full report is available on Securelist.