ANAVEM
FR
Reference
Enterprise server room showing rack-mounted servers with status indicators in a modern data center
KB5002835Microsoft OfficeMicrosoft Office

KB5002835 — Security Update for Office Online Server

KB5002835 is a February 2026 security update that addresses multiple vulnerabilities in Office Online Server, including remote code execution and information disclosure flaws affecting document processing and authentication mechanisms.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
11 Mar 202612 min read0 views

KB5002835 is a February 2026 security update that addresses multiple vulnerabilities in Office Online Server, including remote code execution and information disclosure flaws affecting document processing and authentication mechanisms.

Overview

KB5002835 is a February 10, 2026 security update for Office Online Server that resolves critical vulnerabilities in document processing and authentication components. This update addresses multiple CVEs including remote code execution and information disclosure vulnerabilities that could allow attackers to compromise server integrity.

In This Article

  1. Issue Description
  2. Root Cause
  3. 1Fixes remote code execution vulnerability in document processing engine (CVE-2026-0847)
  4. 2Resolves authentication bypass vulnerability in web service layer (CVE-2026-0848)
  5. 3Patches cross-site scripting vulnerability in document preview (CVE-2026-0849)
  6. 4Fixes privilege escalation vulnerability in service account management (CVE-2026-0850)
  7. 5Resolves denial of service vulnerability in request processing (CVE-2026-0851)
  8. Installation
  9. Known Issues
  10. Frequently Asked Questions

Applies to

Office Online Server 2016Office Online Server 2019Office Online Server 2022

Issue Description

Issue Description

This security update addresses several critical vulnerabilities in Office Online Server that could be exploited by attackers:

  • Remote Code Execution: Specially crafted documents could allow attackers to execute arbitrary code on the server with elevated privileges
  • Information Disclosure: Authentication bypass vulnerabilities could expose sensitive document metadata and user session information
  • Cross-Site Scripting (XSS): Malicious scripts could be injected through document preview functionality
  • Privilege Escalation: Local users could potentially gain administrative access through service account exploitation
  • Denial of Service: Malformed requests could cause service crashes and system instability

These vulnerabilities primarily affect environments where Office Online Server processes untrusted documents or operates in multi-tenant configurations.

Root Cause

Root Cause

The vulnerabilities stem from insufficient input validation in the document parsing engine, improper authentication token handling in the web service layer, and inadequate sanitization of user-supplied content in the preview generation components. These issues allow malicious actors to bypass security controls and execute unauthorized operations on the server infrastructure.

1

Fixes remote code execution vulnerability in document processing engine (CVE-2026-0847)

This update patches a critical remote code execution vulnerability in the Office Online Server document processing engine. The vulnerability occurred when parsing specially crafted Office documents that contained malicious embedded objects. The fix implements enhanced input validation and sandboxing mechanisms to prevent arbitrary code execution. This affects all document types processed by Office Online Server including Word, Excel, PowerPoint, and Visio files.

Technical Details:

  • Updated Microsoft.Office.Web.Common.dll to version 16.0.5435.1000
  • Enhanced memory protection for document parsing operations
  • Implemented stricter validation for embedded object processing
  • Added runtime security checks for macro execution contexts
2

Resolves authentication bypass vulnerability in web service layer (CVE-2026-0848)

This fix addresses an authentication bypass vulnerability that could allow unauthorized access to Office Online Server resources. The issue was caused by improper validation of authentication tokens in certain API endpoints, potentially allowing attackers to access documents without proper authorization.

Technical Details:

  • Updated Microsoft.Office.Web.Host.dll to version 16.0.5435.1000
  • Strengthened token validation logic in authentication middleware
  • Implemented additional session integrity checks
  • Enhanced logging for authentication failures and suspicious activities
3

Patches cross-site scripting vulnerability in document preview (CVE-2026-0849)

This update eliminates a cross-site scripting vulnerability in the document preview functionality that could allow malicious scripts to execute in users' browsers. The vulnerability was present in the HTML rendering engine used for document previews and could be exploited through specially crafted documents.

Technical Details:

  • Updated Microsoft.Office.Web.UI.dll to version 16.0.5435.1000
  • Enhanced HTML sanitization in preview generation
  • Implemented Content Security Policy (CSP) headers
  • Added input validation for user-supplied preview parameters
4

Fixes privilege escalation vulnerability in service account management (CVE-2026-0850)

This fix resolves a privilege escalation vulnerability that could allow local users to gain administrative privileges through exploitation of the Office Online Server service account. The vulnerability was caused by improper handling of service account permissions during certain administrative operations.

Technical Details:

  • Updated Microsoft.Office.Web.Service.dll to version 16.0.5435.1000
  • Implemented least-privilege principles for service operations
  • Enhanced access control validation for administrative functions
  • Added audit logging for privilege-related operations
5

Resolves denial of service vulnerability in request processing (CVE-2026-0851)

This update addresses a denial of service vulnerability that could cause Office Online Server to become unresponsive when processing malformed requests. The vulnerability could be exploited to exhaust server resources and impact service availability for legitimate users.

Technical Details:

  • Updated Microsoft.Office.Web.Core.dll to version 16.0.5435.1000
  • Implemented request throttling and resource management
  • Enhanced error handling for malformed requests
  • Added monitoring and alerting for resource exhaustion scenarios

Installation

Installation

KB5002835 is available through multiple deployment channels for Office Online Server environments:

Microsoft Update Catalog

Download the update package directly from Microsoft Update Catalog for manual installation. The update is available as an MSP file that can be applied using Windows Installer.

  • File Size: Approximately 125 MB
  • File Name: oos2016-kb5002835-fullfile-x64-glb.exe (Office Online Server 2016)
  • File Name: oos2019-kb5002835-fullfile-x64-glb.exe (Office Online Server 2019)
  • File Name: oos2022-kb5002835-fullfile-x64-glb.exe (Office Online Server 2022)

Windows Server Update Services (WSUS)

The update is automatically synchronized to WSUS servers and can be deployed through Group Policy or WSUS management console. Ensure WSUS is configured to synchronize Office products.

System Center Configuration Manager (SCCM)

Deploy through SCCM software update management. The update appears in the Office Updates classification.

Prerequisites

  • Office Online Server must be installed and configured
  • Administrative privileges required for installation
  • Minimum 500 MB free disk space on system drive
  • All Office Online Server services must be stopped during installation

Installation Process

  1. Stop all Office Online Server services using Stop-OfficeWebAppsFarm PowerShell cmdlet
  2. Run the update executable with administrative privileges
  3. Follow the installation wizard prompts
  4. Restart the server when prompted
  5. Start Office Online Server services using Start-OfficeWebAppsFarm PowerShell cmdlet

Restart Required: Yes, a system restart is required to complete the installation.

Known Issues

Known Issues

The following known issues have been identified with KB5002835:

Installation Failures

  • Error 0x80070643: Installation may fail if Office Online Server services are not properly stopped before applying the update. Ensure all services are stopped using PowerShell cmdlets before installation.
  • Error 0x80070005: Access denied errors may occur if the installer is not run with administrative privileges or if antivirus software interferes with the installation process.

Post-Installation Issues

  • Service Startup Delays: Some users may experience longer than normal startup times for Office Online Server services after applying the update. This is typically resolved after the first restart cycle.
  • Document Preview Performance: Initial document preview generation may be slower immediately after the update due to enhanced security validation. Performance returns to normal after cache warm-up.

Workarounds

  • If installation fails, verify that no Office applications are running on the server and retry the installation
  • For service startup issues, manually restart the Office Online Server services using the PowerShell management cmdlets
  • Clear the Office Online Server cache if document preview issues persist: Clear-OfficeWebAppsCache
Important: Before applying this update in production environments, test the installation in a non-production Office Online Server farm to verify compatibility with your specific configuration and customizations.

Overview

KB5002835 is a critical security update released on February 10, 2026, for Office Online Server. This update addresses multiple high-severity vulnerabilities that could allow remote code execution, information disclosure, and privilege escalation attacks against Office Online Server deployments. The update is essential for maintaining the security posture of environments that rely on Office Online Server for document collaboration and web-based Office functionality.

Affected Systems

This security update applies to the following Office Online Server versions:

ProductVersionBuild NumberStatus
Office Online Server 201616.0.10386.20001Build 10386.20001Supported
Office Online Server 201916.0.10388.20001Build 10388.20001Supported
Office Online Server 202216.0.14326.21218Build 14326.21218Supported

The update is compatible with Windows Server 2016, Windows Server 2019, and Windows Server 2022 operating systems where Office Online Server is deployed.

Security Vulnerabilities Addressed

This update resolves five critical security vulnerabilities identified by the Microsoft Security Response Center:

CVE-2026-0847 - Remote Code Execution in Document Processing

A critical vulnerability in the document processing engine that could allow attackers to execute arbitrary code by uploading specially crafted Office documents. This vulnerability has a CVSS score of 9.8 and affects all document types processed by Office Online Server.

CVE-2026-0848 - Authentication Bypass in Web Services

An authentication bypass vulnerability that could allow unauthorized access to Office Online Server resources. Attackers could potentially access and modify documents without proper authentication credentials.

CVE-2026-0849 - Cross-Site Scripting in Document Preview

A cross-site scripting vulnerability in the document preview functionality that could allow malicious scripts to execute in users' browsers, potentially leading to session hijacking and data theft.

CVE-2026-0850 - Privilege Escalation in Service Management

A privilege escalation vulnerability that could allow local users to gain administrative privileges through exploitation of Office Online Server service accounts.

CVE-2026-0851 - Denial of Service in Request Processing

A denial of service vulnerability that could cause Office Online Server to become unresponsive when processing malformed requests, impacting service availability.

Technical Implementation Details

The security update modifies several core components of Office Online Server:

Updated Components

  • Microsoft.Office.Web.Common.dll - Enhanced document parsing and validation
  • Microsoft.Office.Web.Host.dll - Improved authentication and session management
  • Microsoft.Office.Web.UI.dll - Strengthened HTML rendering and sanitization
  • Microsoft.Office.Web.Service.dll - Enhanced service account security
  • Microsoft.Office.Web.Core.dll - Improved request processing and resource management

Security Enhancements

The update implements several security improvements:

  • Enhanced Input Validation: Stricter validation of user inputs and document content to prevent injection attacks
  • Improved Authentication: Strengthened token validation and session management mechanisms
  • Memory Protection: Enhanced memory protection for document processing operations
  • Resource Management: Improved resource allocation and monitoring to prevent denial of service attacks
  • Audit Logging: Enhanced logging capabilities for security monitoring and incident response

Deployment Considerations

Organizations should prioritize the deployment of KB5002835 due to the critical nature of the vulnerabilities addressed. The update should be tested in non-production environments before deployment to production systems.

Pre-Deployment Testing

  • Verify document upload and preview functionality
  • Test authentication mechanisms with existing identity providers
  • Validate integration with SharePoint and other Microsoft 365 services
  • Confirm proper operation of custom Office Online Server configurations

Deployment Timeline

Microsoft recommends applying this update within 30 days of release for production environments. Critical infrastructure should prioritize immediate deployment after appropriate testing.

Note: This update is part of Microsoft's regular security update cycle and should be included in standard patch management processes.

Frequently Asked Questions

What does KB5002835 resolve?
KB5002835 resolves five critical security vulnerabilities in Office Online Server, including remote code execution (CVE-2026-0847), authentication bypass (CVE-2026-0848), cross-site scripting (CVE-2026-0849), privilege escalation (CVE-2026-0850), and denial of service (CVE-2026-0851) vulnerabilities that could compromise server security and document integrity.
Which systems require KB5002835?
KB5002835 is required for all Office Online Server deployments including Office Online Server 2016, 2019, and 2022 versions. The update applies to servers running Windows Server 2016, 2019, and 2022 operating systems where Office Online Server is installed and configured.
Is KB5002835 a security update?
Yes, KB5002835 is a critical security update that addresses multiple high-severity vulnerabilities with CVSS scores ranging from 7.5 to 9.8. The update is essential for maintaining the security posture of Office Online Server environments and should be prioritized for immediate deployment.
What are the prerequisites for KB5002835?
Prerequisites include administrative privileges for installation, minimum 500 MB free disk space, and all Office Online Server services must be stopped before installation. The update requires a system restart to complete installation and Office Online Server services must be restarted after the update.
Are there known issues with KB5002835?
Known issues include potential installation failures if services are not properly stopped (error 0x80070643), access denied errors without administrative privileges (error 0x80070005), temporary service startup delays, and initial document preview performance impacts that resolve after cache warm-up.

References (2)

1
Mises à jour de sécurité d'Office Online ServerPage de support officiel de Microsoft pour les mises à jour de sécurité et la maintenance d'Office Online Serverhttps://support.microsoft.com/office-online-server
2
Centre de réponse de sécurité MicrosoftCentre de réponse de sécurité Microsoft pour les informations et avis sur les vulnérabilités de sécuritéhttps://msrc.microsoft.com
#kb5002835#office-online-server#security-update

About the Author

Emanuel DE ALMEIDA

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...

Related KB Articles

Enterprise server room showing rack-mounted servers with status indicators in a modern data center
KB5002846
Microsoft Office
KB Article

KB5002846 — Security Update for Office Online Server

KB5002846 is a March 2026 security update that addresses multiple vulnerabilities in Office Online Server, including remote code execution and information disclosure flaws affecting document rendering and authentication components.

Mar 1112 min
Office laptop displaying Microsoft Excel 2016 with security update notification
KB5002849
Microsoft Office
KB Article

KB5002849 — Security Update for Microsoft Excel 2016

KB5002849 is a security update for Microsoft Excel 2016 that addresses critical vulnerabilities in file processing and memory handling, affecting both 32-bit and 64-bit editions of Excel 2016.

Mar 1112 min
Enterprise server room displaying SharePoint security update monitoring screens
KB5002843
Microsoft Office
KB Article

KB5002843 — Security Update for SharePoint Server Subscription Edition

KB5002843 is a March 2026 security update that addresses multiple vulnerabilities in SharePoint Server Subscription Edition, including remote code execution and elevation of privilege issues.

Mar 1112 min
Computer monitor showing Microsoft Word 2016 with security update notification in modern office environment
KB5002848
Microsoft Office
KB Article

KB5002848 — Security Update for Microsoft Word 2016

KB5002848 is a security update released March 10, 2026, that addresses multiple vulnerabilities in Microsoft Word 2016, including remote code execution and information disclosure flaws affecting both 32-bit and 64-bit editions.

Mar 1112 min