Severity
High
Analysis Summary
Microsoft has addressed three critical remote code execution (RCE) vulnerabilities in Microsoft Outlook and Word, tracked as CVE-2026-45456, CVE-2026-45458, and CVE-2026-47635. Each vulnerability carries a CVSS score of High and originates from memory-safety flaws within the Microsoft Word rendering engine and its integration with Outlook Classic. Although classified with a local attack vector, the flaws can be exploited remotely through specially crafted emails or documents, enabling attackers to execute arbitrary code when malicious content is rendered by Office applications.
The vulnerabilities stem from two distinct memory corruption issues. CVE-2026-45456 and CVE-2026-47635 are caused by type confusion flaws, where Word incorrectly interprets internal data structures, allowing attacker-controlled data to be treated as legitimate objects or pointers. CVE-2026-45458 is a use-after-free vulnerability that occurs when Word accesses memory after it has been released, enabling attackers to replace the freed memory with malicious data. Both attack paths can result in controlled memory corruption, allowing adversaries to hijack application execution flow and run arbitrary code on affected systems.
A significant risk factor is Outlook Classic’s reliance on the Word rendering engine for displaying email content, including messages viewed in the Preview Pane. As a result, a specially crafted email or attachment can trigger exploitation during normal message rendering without requiring users to explicitly open a file. This creates a highly effective email-based attack vector that can provide attackers with code execution under the victim’s privileges and potentially serve as an entry point for privilege escalation, credential theft, lateral movement, or broader network compromise.
Affected products include Microsoft Office LTSC 2024 and other supported Word and Outlook versions that share the vulnerable rendering components. Microsoft recommends immediate deployment of all relevant Office security updates across affected environments, as patching is the only complete mitigation for these engine-level flaws. Organizations should further strengthen defenses by limiting Outlook Preview Pane usage for untrusted emails, enforcing Protected View for internet-originated files, and implementing Attack Surface Reduction (ASR) rules to prevent Office applications from launching child processes. Security teams should also monitor for unusual Word or Outlook crashes, memory-access violations, and suspicious Office-spawned processes that may indicate exploitation attempts or successful compromise.
Impact
- Code Execution
- Gain Access
Indicators of Compromise
CVE
CVE-2026-45456
CVE-2026-45458
CVE-2026-47635
Remediation
- Apply all Microsoft security updates for Outlook, Word, and Office products immediately to address CVE-2026-45456, CVE-2026-45458, and CVE-2026-47635.
- Ensure all Office installations, including Microsoft Office LTSC 2024 and Microsoft 365 deployments, are updated to the latest supported versions.
- Enable Protected View for files originating from the internet, email attachments, and untrusted locations.
- Restrict or disable the Outlook Preview Pane for high-risk users and untrusted mailboxes where operationally feasible.
- Implement Attack Surface Reduction (ASR) rules to prevent Office applications from spawning child processes and executing potentially malicious content.
- Deploy advanced email security controls to scan and block malicious attachments and phishing emails before they reach end users.
- Apply the principle of least privilege by ensuring users do not operate with administrative rights unless necessary.
- Enable Endpoint Detection and Response (EDR) solutions to detect suspicious Office-related activity and exploit attempts.
- Monitor for abnormal Word or Outlook crashes, memory-access violations, and unexpected child processes launched by Office applications.
- Conduct regular user awareness training to help employees identify and report suspicious emails and attachments.