Microsoft has recently made known a series of severe remote code execution (RCE) vulnerabilities affecting its widely used applications, Outlook and Word. These vulnerabilities pose a significant threat, enabling potential attackers to execute arbitrary code on the targeted systems. The weaknesses, identified as CVE-2026-45456, CVE-2026-45458, and CVE-2026-47635, were disclosed on June 9, 2026, and have received high-severity ratings, with CVSS scores hovering around 8.4.
Security experts have voiced considerable concern regarding the potential exploitation of these vulnerabilities, especially in the context of phishing campaigns and attacks utilizing malicious documents. Such scenarios could lead to dangerous intrusions, particularly within enterprise environments that rely heavily on Microsoft Office applications for daily operations.
The vulnerabilities specifically affect the way Microsoft Outlook and Word handle memory and object processing. Attackers can take advantage of these flaws by crafting malicious files or inputs, which could trigger unsafe conditions during processing. The ramifications of successfully exploiting these vulnerabilities could be dire, granting attackers full control over the compromised systems. This control could allow for the installation of malware, exfiltration of sensitive data, or lateral movement within enterprise networks. Notably, all three vulnerabilities do not require user privileges, and they are characterized by low attack complexity, which amplifies their potential for real-world exploitation.
Descriptions of the Vulnerabilities
CVE-2026-45456 – Type Confusion Vulnerability
This vulnerability represents a type confusion flaw (CWE-843), occurring when the applications accidentally access resources using incompatible data types. Such mismanagement can lead to significant memory corruption if Outlook or Word misinterprets object types during processing. Attackers can exploit this type confusion by sending specially crafted documents or email content that, once processed, could trigger improper memory handling, ultimately permitting arbitrary code execution. While classified as a local attack vector, the fact that it does not require any specific privileges or user interaction renders it particularly dangerous, especially in scenarios involving chained attacks.
CVE-2026-45458 – Use-After-Free Vulnerability
The second vulnerability is classified as a use-after-free flaw (CWE-416) affecting memory management within both Outlook and Word. This occurs when the application utilizes memory that has already been freed, leading to unpredictable behaviors and potential code execution risks. Malicious actors can exploit this vulnerability by designing documents that disrupt the intended memory allocation and deallocation sequences. Once activated, the attackers can execute arbitrary code within the context of the current user, making this flaw a valuable entry point for initial compromises during targeted attacks.
CVE-2026-47635 – Heap-Based Buffer Overflow
The third vulnerability, CVE-2026-47635, involves a heap-based buffer overflow (CWE-122), which allows attackers to write data beyond allocated memory boundaries, corrupting adjacent memory structures. By crafting specially designed files, malicious actors can compel Outlook or Word to process excessive data, leading to critical memory regions being overwritten. Heap-based overflows are notably dangerous, especially when leveraged alongside modern techniques such as heap spraying, further increasing the risk of exploitation.
All three vulnerabilities share similar characteristics in their CVSS vector—low attack complexity, no required privileges, and no need for user interaction—underscoring their potential impact.
While Microsoft has not confirmed that these vulnerabilities are being actively exploited in the wild at the time of the disclosure, the intrinsic nature of these flaws makes them appealing targets for threat actors. This is particularly relevant in the context of spear-phishing campaigns that often utilize malicious Office documents as a vector for attacks.
Organizations utilizing Microsoft applications are strongly advised to implement Microsoft’s latest security updates without delay. Moreover, additional mitigation tactics should be employed. These include disabling preview panes in Outlook, deploying advanced email filtering mechanisms, and closely monitoring for suspicious activity linked to document handling.
Security teams are also encouraged to remain vigilant by watching for anomalous process behaviors. Utilizing endpoint detection and response (EDR) solutions can facilitate the identification of potential exploitation attempts, further enhancing the organization’s overall security posture against these severe vulnerabilities.
In conclusion, the timely awareness and response to these vulnerabilities are crucial in safeguarding enterprise environments against potential exploitation.