Q1 2026 Vulnerability Landscape: Rising Threats and Key Exploits

Introduction

In the first quarter of 2026, cybercriminals continued to expand their arsenal, integrating fresh exploits targeting Microsoft Office, Windows, and Linux systems into widely used exploit kits. This report examines the latest vulnerability data, the exploitation trends observed in the wild, and the persistent threat from older, well-known flaws.

CVE Statistics: A Steady Climb

Data from cve.org reveals a persistent upward trajectory in the number of Common Vulnerabilities and Exposures (CVEs) registered each month since 2022. The total volume of published vulnerabilities continues to rise, and analysts anticipate that the growing use of artificial intelligence for automated vulnerability discovery will accelerate this trend even further.

The following chart (downloadable) shows total published vulnerabilities per month from January 2022 through March 2026:

• Total published vulnerabilities per month (2022–2026) – a clear upward slope.

Critical Vulnerabilities: Slight Dip, Strong Trend

Examining only critical vulnerabilities (CVSS score > 8.9) over the same period, we observe a small decrease compared to the end of 2025, yet the overall upward trend remains unmistakable. The current spike is driven by a handful of high-profile issues:

• React2Shell – a severe remote code execution flaw in popular web frameworks.
• Mobile exploit frameworks – new toolkits targeting the mobile ecosystem.
• Secondary vulnerabilities – flaws uncovered during the patching of previously known bugs.

If this pattern holds, Q2 2026 should see a notable drop, similar to the seasonal decline observed in the same period the previous year.

Exploitation Statistics: What Threat Actors Are Using

Our telemetry, combined with open-source intelligence, provides a snapshot of real-world exploitation in Q1 2026. While new exploits are always being integrated, a set of veteran vulnerabilities continues to dominate detection counts across Windows and Linux environments.

Windows and Linux Vulnerability Exploitation

The following old-but-active flaws remain the most commonly detected in the wild:

• CVE-2018-0802 – Remote code execution (RCE) in Microsoft Equation Editor.
• CVE-2017-11882 – Another RCE in the same Equation Editor component.
• CVE-2017-0199 – A flaw in Microsoft Office and WordPad that allows system compromise.
• CVE-2023-38831 – Improper handling of objects inside archives.
• CVE-2025-6218 – Relative path specification enabling arbitrary directory extraction and potential code execution.
• CVE-2025-8088 – Directory traversal bypass during file extraction via NTFS Streams.

These six CVEs account for the majority of exploit detections, underscoring the challenge of patching legacy systems.

Newcomers in Q1 2026

Despite the persistence of older vulnerabilities, threat actors have updated their toolkits with exploits for newly registered flaws. Notable additions in Q1 2026 target:

• Microsoft Office platform – including recent RCE and memory corruption bugs.
• Windows OS components – such as privilege escalation and remote code execution in kernel-mode drivers.

Conclusion

The Q1 2026 vulnerability landscape shows that while security teams are making incremental progress against critical flaws, the overall volume of vulnerabilities is still rising. Attackers continue to rely on a mix of ancient exploits and fresh weaponized bugs, with Microsoft Office and Windows remaining primary targets. Organizations must prioritize patching both legacy and emerging vulnerabilities, and keep a close watch on the evolution of AI-assisted discovery, which will likely reshape the threat landscape in the quarters ahead.