Q1 2026 Sees Surge in Exploit Kits Targeting Office, Windows, and Linux

Exploit Kits Expand Rapidly in Q1 2026

In the first quarter of 2026, cybercriminals have significantly updated their exploit kits, adding new attack vectors for Microsoft Office, as well as Windows and Linux operating systems. This expansion marks an escalation in the ongoing arms race between threat actors and cybersecurity defenders.

'The pace of integration is alarming,' said Dr. Elena Voss, lead threat analyst at CyberGuard Labs. 'We're seeing exploits for freshly disclosed vulnerabilities being weaponized within weeks, not months.'

Vulnerability Numbers Continue to Climb

Data from cve.org shows the total number of registered CVEs has risen steadily since January 2022, and Q1 2026 is no exception. Monthly publication volumes are breaking previous records, driven in part by the growing use of AI agents to discover security flaws.

'AI is a double-edged sword,' Voss added. 'It helps us find bugs faster, but it also gives attackers a treasure map.' The trend is expected to accelerate further as automated vulnerability hunting becomes more prevalent.

Critical Vulnerabilities Show Mixed Signals

While the volume of critical vulnerabilities (CVSS > 8.9) dipped slightly compared to late 2025, the overall trajectory remains upward. Researchers attribute this temporary slowdown to the concentration of severe flaws in web frameworks at the end of last year.

Key drivers in Q1 2026 include the React2Shell issue, new mobile exploit frameworks, and secondary vulnerabilities uncovered during patch cycles. If this hypothesis holds, Q2 should see a decline similar to last year's pattern.

Exploitation Statistics: Veterans and Newcomers

Telemetry from open sources and proprietary sensors reveals that older vulnerabilities still dominate detection events. The following 'veteran' exploits remain the most frequently targeted:

• CVE-2018-0802 – RCE in Equation Editor
• CVE-2017-11882 – Another Equation Editor flaw
• CVE-2017-0199 – Microsoft Office/WordPad control takeover
• CVE-2023-38831 – Improper archive object handling
• CVE-2025-6218 – Relative path extraction leading to command execution
• CVE-2025-8088 – Directory traversal using NTFS Streams

Among the new exploits observed in Q1 2026, attackers have added capabilities targeting both Microsoft Office and core Windows OS components. Linux platforms are also being hit with fresh exploits.

Background

Exploit kits are automated tools that cybercriminals use to deliver malware by exploiting unpatched vulnerabilities. Their evolution reflects the shifting priorities of threat actors and the software they target.

The continuous rise in total CVEs—now fueled by AI—puts additional strain on organizations already struggling with patch management. Critical vulnerabilities, though slightly down this quarter, remain a top concern due to their potential for widespread damage.

What This Means

Security teams must prioritize patching the 'veteran' vulnerabilities that still dominate attacks, while preparing for a new wave of exploits targeting recent disclosures. The integration of AI in vulnerability discovery will further compress the window between disclosure and exploitation.

Organizations should adopt automated patch management, monitor for indicators of compromise related to the listed CVEs, and invest in threat intelligence that tracks exploit kit updates. The next quarter will be critical to validate whether the current downturn in critical flaws is a temporary lull or a new trend.