Microsoft has disclosed a set of critical remote code execution (RCE) vulnerabilities affecting Outlook and Word that could allow attackers to execute arbitrary code on targeted systems.
The flaws, tracked as CVE-2026-45456, CVE-2026-45458, and CVE-2026-47635, were released on June 9, 2026, and carry high severity ratings with CVSS scores of 8.4.
Security researchers warn that these vulnerabilities could be weaponized in phishing campaigns and malicious document-based attacks, posing significant risks to enterprise environments relying heavily on Microsoft Office applications.
The vulnerabilities impact how Microsoft Outlook and Word handle memory and object processing, enabling attackers to craft specially designed files or inputs that trigger unsafe conditions.
Successful exploitation could grant attackers full control over affected systems, allowing them to install malware, exfiltrate sensitive data, or pivot within enterprise networks. Notably, all three vulnerabilities require no user privileges and have low attack complexity, increasing the likelihood of real-world exploitation.
CVE-2026-45456 – Type Confusion Vulnerability
CVE-2026-45456 is a type confusion flaw (CWE-843) that arises when the application accesses resources using incompatible data types. This issue can lead to memory corruption when Outlook or Word improperly interprets object types during processing.
Attackers can exploit this vulnerability by delivering specially crafted documents or email content that triggers incorrect memory handling, ultimately allowing arbitrary code execution.
Despite being classified as a local attack vector, the lack of required privileges and user interaction makes it particularly dangerous in chained attack scenarios.
CVE-2026-45458 – Use-After-Free Vulnerability
CVE-2026-45458 is a use-after-free vulnerability (CWE-416) affecting memory management within Outlook and Word. This flaw occurs when the application continues to use memory after it has been freed, leading to unpredictable behavior and potential code execution.
Threat actors can exploit this by crafting malicious documents that manipulate memory allocation and deallocation sequences. Once triggered, attackers may execute code in the context of the current user, making it a valuable entry point for initial compromise in targeted attacks.
CVE-2026-47635 – Heap-Based Buffer Overflow
CVE-2026-47635 involves a heap-based buffer overflow (CWE-122), where data written beyond allocated memory boundaries can corrupt adjacent memory structures.
This vulnerability can be exploited by specially crafted files that cause Outlook or Word to process excessive data. Successful exploitation enables attackers to overwrite critical memory regions, leading to arbitrary code execution.
Heap-based overflows are particularly dangerous because they are highly exploitable when combined with modern techniques such as heap spraying.
All three vulnerabilities share similar CVSS vector characteristics, including low attack complexity and no requirement for privileges or user interaction, emphasizing their potential impact.
Although Microsoft has not confirmed active exploitation in the wild at the time of disclosure, the nature of these flaws makes them attractive targets for threat actors, particularly in spear-phishing campaigns leveraging malicious Office documents.
Organizations are strongly advised to apply Microsoft’s latest security updates immediately. Additional mitigation measures include disabling preview panes in Outlook, implementing advanced email filtering, and monitoring for suspicious document activity.
Security teams should also look for anomalous process behaviors and leverage endpoint detection and response (EDR) solutions to identify potential exploitation attempts.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
