Microsoft Outlook and Word Vulnerabilities Allow Attackers to Execute Malicious Code

Microsoft released critical fixes for three closely related remote code execution (RCE) vulnerabilities in Microsoft Outlook and Word that stem from low‑level memory‑safety flaws in the Word rendering engine and its integration with Outlook Classic.

These bugs, tracked as CVE‑2026‑45456, CVE‑2026‑45458, and CVE‑2026‑47635, are rated Critical with a CVSS v3.1 base score of 8.4, reflecting high impact on confidentiality, integrity, and availability if exploited.

Although the CVSS vectors show a local attack vector (AV:L), Microsoft classifies them as remote code execution because a remote attacker can deliver malicious content over the network (for example, via email). At the same time, the actual exploit triggers locally when Office processes the content.

Microsoft Outlook and Word RCE Flaws

All three vulnerabilities are rooted in unsafe memory handling within the Office document parsing pipeline.

CVE‑2026‑45456 and CVE‑2026‑47635 involve type confusion, where internal data structures are accessed with an incompatible or incorrect type, breaking type safety guarantees at runtime.

In practice, a crafted document can manipulate object layout assumptions so that the Word engine interprets attacker‑controlled data as a valid object or pointer.

Once the engine performs operations on that mis‑typed object, it can cause controlled memory corruption, which attackers can exploit to execute arbitrary code by hijacking control‑flow, such as function pointers or vtable entries.

CVE‑2026‑45458 involves a use-after-free pattern. In this scenario, Word frees a memory object but continues to hold a dangling pointer to it.

An attacker‑crafted document can cause the freed region to be reallocated to attacker‑controlled data, so when the stale pointer is later dereferenced, execution flows through data the attacker controls, again enabling code execution.

A key operational detail for defenders is that Outlook Classic uses Word as the rendering engine for email content, including in the Preview Pane.

That means a specially crafted email body or attachment that triggers one of these memory‑corruption paths can execute code merely when the message is rendered, without requiring the user to open an attachment explicitly.

From a kill‑chain perspective, this allows a remote attacker to send a single weaponized email to a target, rely on automatic rendering or user preview in Outlook, and achieve arbitrary code execution with the victim user’s permissions.

Because the vulnerabilities do not require additional privileges or explicit user interaction beyond normal rendering, a successful exploit can be chained with privilege‑escalation or lateral‑movement techniques to pivot deeper into the environment.

The affected scope includes Microsoft Office LTSC 2024 (32‑bit and 64‑bit) and other supported Word/Outlook builds that use the same rendering components.

Microsoft’s guidance stresses that customers must apply all applicable Office security updates to their installations in environments with multiple Office SKUs, and that administrators must ensure each product line receives its corresponding security package.

Some Mac Office channels (Office LTSC for Mac 2021/2024 and Microsoft 365 for Mac) may receive their patches slightly later than others. However, they are part of the same remediation effort.

From a defensive posture standpoint, patching remains the primary and non‑negotiable mitigation, as these are core engine‑level issues that cannot be fully neutralized by configuration changes alone.

However, organizations can reduce exploitability and blast radius through layered controls. Hardening Outlook by disabling or limiting Preview Pane for untrusted mailboxes, enforcing Protected View for files originating from the internet.

Using Attack Surface Reduction (ASR) rules to restrict Office from spawning child processes can materially raise the bar for successful exploitation and post‑compromise actions.

On the detection side, security teams should watch for anomalous Word or Outlook processes exhibiting unusual memory‑access violations, crashes when rendering specific messages, or suspicious child processes spawned from Office, which can be indicative of exploit attempts or successful code execution.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Microsoft Outlook and Word Vulnerabilities Allow Attackers to Execute Malicious Code appeared first on Cyber Security News.