CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 12, 2026

Microsoft Outlook and Word Vulnerabilities Allow Attackers to Execute Malicious Code

Cybersecurity News Archived Jun 12, 2026 ✓ Full text saved

Microsoft released critical fixes for three closely related remote code execution (RCE) vulnerabilities in Microsoft Outlook and Word that stem from low‑level memory‑safety flaws in the Word rendering engine and its integration with Outlook Classic. These bugs, tracked as CVE‑2026‑45456, CVE‑2026‑45458, and CVE‑2026‑47635, are rated Critical with a CVSS v3.1 base score of 8.4, reflecting […] The post Microsoft Outlook and Word Vulnerabilities Allow Attackers to Execute Malicious Code appeared fi

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Microsoft Outlook and Word Vulnerabilities Allow Attackers to Execute Malicious Code By Abinaya June 12, 2026 Microsoft released critical fixes for three closely related remote code execution (RCE) vulnerabilities in Microsoft Outlook and Word that stem from low‑level memory‑safety flaws in the Word rendering engine and its integration with Outlook Classic. These bugs, tracked as CVE‑2026‑45456, CVE‑2026‑45458, and CVE‑2026‑47635, are rated Critical with a CVSS v3.1 base score of 8.4, reflecting high impact on confidentiality, integrity, and availability if exploited. Although the CVSS vectors show a local attack vector (AV:L), Microsoft classifies them as remote code execution because a remote attacker can deliver malicious content over the network (for example, via email). At the same time, the actual exploit triggers locally when Office processes the content. Microsoft Outlook and Word RCE Flaws All three vulnerabilities are rooted in unsafe memory handling within the Office document parsing pipeline. CVE‑2026‑45456 and CVE‑2026‑47635 involve type confusion, where internal data structures are accessed with an incompatible or incorrect type, breaking type safety guarantees at runtime. In practice, a crafted document can manipulate object layout assumptions so that the Word engine interprets attacker‑controlled data as a valid object or pointer. Once the engine performs operations on that mis‑typed object, it can cause controlled memory corruption, which attackers can exploit to execute arbitrary code by hijacking control‑flow, such as function pointers or vtable entries. CVE‑2026‑45458 involves a use-after-free pattern. In this scenario, Word frees a memory object but continues to hold a dangling pointer to it. An attacker‑crafted document can cause the freed region to be reallocated to attacker‑controlled data, so when the stale pointer is later dereferenced, execution flows through data the attacker controls, again enabling code execution. A key operational detail for defenders is that Outlook Classic uses Word as the rendering engine for email content, including in the Preview Pane. That means a specially crafted email body or attachment that triggers one of these memory‑corruption paths can execute code merely when the message is rendered, without requiring the user to open an attachment explicitly. From a kill‑chain perspective, this allows a remote attacker to send a single weaponized email to a target, rely on automatic rendering or user preview in Outlook, and achieve arbitrary code execution with the victim user’s permissions. Because the vulnerabilities do not require additional privileges or explicit user interaction beyond normal rendering, a successful exploit can be chained with privilege‑escalation or lateral‑movement techniques to pivot deeper into the environment. The affected scope includes Microsoft Office LTSC 2024 (32‑bit and 64‑bit) and other supported Word/Outlook builds that use the same rendering components. Microsoft’s guidance stresses that customers must apply all applicable Office security updates to their installations in environments with multiple Office SKUs, and that administrators must ensure each product line receives its corresponding security package. Some Mac Office channels (Office LTSC for Mac 2021/2024 and Microsoft 365 for Mac) may receive their patches slightly later than others. However, they are part of the same remediation effort. From a defensive posture standpoint, patching remains the primary and non‑negotiable mitigation, as these are core engine‑level issues that cannot be fully neutralized by configuration changes alone. However, organizations can reduce exploitability and blast radius through layered controls. Hardening Outlook by disabling or limiting Preview Pane for untrusted mailboxes, enforcing Protected View for files originating from the internet. Using Attack Surface Reduction (ASR) rules to restrict Office from spawning child processes can materially raise the bar for successful exploitation and post‑compromise actions. On the detection side, security teams should watch for anomalous Word or Outlook processes exhibiting unusual memory‑access violations, crashes when rendering specific messages, or suspicious child processes spawned from Office, which can be indicative of exploit attempts or successful code execution. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Hackers Use Weaponized DMG Files to Target macOS Users With Infostealer Malware Microsoft 365 Service Degradation Bypassed Windows Driver Auto-Update Controls Microsoft Teams for Android Vulnerability Allows Attackers to Disclose Sensitive Data CISA Warns of Linux Kernel Improper Authentication Vulnerability Exploited in Attacks New MagicAd Android Malware Flood Device With Ads Bypassing Restrictions Latest News Cyber Security News Google Patches 28 Chrome Vulnerabilities that Allow Attackers to Execute Malicious Code Cyber Security Microsoft Teams for Android Vulnerability Allows Attackers to Disclose Sensitive Data Cyber Attack News Oracle PeopleSoft 0-Day RCE Vulnerability Exploited in Attacks by ShinyHunters Cyber Security CISA Requires Federal Agencies to Patch Critical Vulnerabilities Within 3 Days Cyber Security News OceanLotus APT Compromises FireAnt MetaKit in Supply-Chain Attack on Stock Investors
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 12, 2026
    Archived
    Jun 12, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗