Published on June 12, 2026
Microsoft Outlook and Word Vulnerabilities Allow Attackers to Execute Malicious Code
Severity
High
Detail
Microsoft has released security updates addressing three critical remote code execution (RCE) vulnerabilities affecting Microsoft Outlook and Microsoft Word. The vulnerabilities, tracked as CVE-2026-45456, CVE-2026-45458, and CVE-2026-47635, could allow attackers to execute arbitrary code on affected systems by delivering specially crafted emails or Office documents, originating from memory corruption flaws within the Microsoft Word rendering engine, which is also used by Outlook Classic to process and render email content. Successful exploitation may enable attackers to execute malicious code with the privileges of the targeted user.
CVE-2026-45456 and CVE-2026-47635 are type confusion vulnerabilities that occur when Word improperly handles internal object types during document processing. An attacker can craft a malicious document that manipulates memory structures, causing the application to interpret attacker-controlled data as legitimate objects and potentially execute arbitrary code. CVE-2026-45458 is a use-after-free vulnerability that occurs when Word continues to reference memory after it has been released, allowing attackers to control the reallocated memory region. Attackers may trigger arbitrary code execution when the stale pointer is accessed.
A significant risk factor is that Outlook Classic uses the Word rendering engine for displaying email content, including messages viewed in the Preview Pane. As a result, a specially crafted email may trigger exploitation when rendered, potentially requiring little or no user interaction beyond viewing the message. Successful exploitation could allow attackers to install malware, steal sensitive information, modify data, establish persistence, or use the compromised system as an entry point for further attacks within the environment.
| CVE ID | Summary | CVSS Score |
| CVE-2026-45456 | Type confusion vulnerability in Microsoft Word allows remote code execution through specially crafted documents or email content. | 8.4 (High) |
| CVE-2026-45458 | Use-after-free vulnerability in Microsoft Word allows remote code execution through malicious documents or email content. | 8.4 (High) |
| CVE-2026-47635 | Type confusion vulnerability in Microsoft Word allows remote code execution through crafted content processed by Word and Outlook. | 8.4 (High) |
Affected Products
Affected products include supported Microsoft Office installations that use the vulnerable Word rendering components including:
- Microsoft Office LTSC 2024 (32-bit and 64-bit)
- Microsoft Outlook Classic
- Microsoft Word
- Other supported Microsoft Office and Microsoft 365 builds containing the affected rendering engine components
Microsoft has indicated that certain Microsoft Office for Mac channels including Office LTSC for Mac 2021, Office LTSC for Mac 2024, and Microsoft 365 for Mac may receive updates on a separate release schedule.
Recommendation
Organizations should implement the following measures to reduce the risk:
- Apply the relevant Microsoft security updates addressing these vulnerabilities as soon as possible.
- Ensure all deployed Microsoft Office products and editions receive their corresponding security updates.
- Limit or disable the Outlook Preview Pane for untrusted or external email sources where operationally feasible.
- Configure Microsoft Office Protected View for documents originating from the internet, email attachments, and untrusted locations.
- Implement Attack Surface Reduction (ASR) rules to prevent Office applications from launching child processes and executing suspicious activities.
- Monitor systems for abnormal Word or Outlook crashes, memory-access violations, and unexpected process execution originating from Office applications.
Source
https://cybersecuritynews.com/microsoft-outlook-and-word-vulnerabilities/
https://cyberpress.org/microsoft-outlook-and-word-flaws/
https://nvd.nist.gov/vuln/detail/CVE-2026-47635