Microsoft has recently addressed three critical remote code execution (RCE) vulnerabilities affecting its Outlook and Word applications. These flaws, identified as CVE-2026-45456, CVE-2026-45458, and CVE-2026-47635, have been assigned a CVSS v3.1 base score of 8.4, indicating a high severity level due to their potential impact on confidentiality, integrity, and availability.
Details of the Vulnerabilities
All three vulnerabilities originate from unsafe memory handling within the Office document parsing pipeline. Specifically:
- CVE-2026-45456 and CVE-2026-47635: These involve type confusion errors, where internal data structures are accessed with incompatible or incorrect types. This misinterpretation can lead to controlled memory corruption, allowing attackers to execute arbitrary code by manipulating function pointers or virtual table entries.
- CVE-2026-45458: This flaw pertains to a use-after-free condition. In this scenario, Word frees a memory object but continues to reference it. An attacker can exploit this by reallocating the freed memory with malicious data, leading to code execution when the stale pointer is dereferenced.
Notably, Outlook Classic utilizes Word as its rendering engine for email content, including the Preview Pane. This integration means that a specially crafted email can trigger these vulnerabilities merely by being rendered, without the need for the user to open an attachment explicitly. Consequently, an attacker can achieve arbitrary code execution with the victim’s user permissions by sending a single malicious email.
Affected Versions and Mitigation
The vulnerabilities impact multiple versions of Microsoft Office, including Microsoft Office LTSC 2024 (both 32-bit and 64-bit) and other supported Word and Outlook builds that use the same rendering components. Microsoft has emphasized the importance of applying all relevant Office security updates across different product lines to ensure comprehensive protection.
Given the widespread use of Microsoft Office products in both personal and enterprise environments, these vulnerabilities pose a significant security risk. Users and administrators are strongly advised to promptly apply the available patches to mitigate potential exploitation.
These vulnerabilities underscore the critical importance of regular software updates and vigilant cybersecurity practices. As attackers continually seek to exploit software flaws, maintaining up-to-date systems and educating users about potential threats remain essential components of a robust security posture.
