Microsoft Word and Office Vulnerabilities Create Type Confusion Exposures

EXECUTIVE SUMMARY:

Microsoft has addressed remote code execution (RCE) vulnerabilities affecting Microsoft Outlook and Microsoft Word as part of its latest security updates. These flaws could allow attackers to execute arbitrary code on a victim's system by delivering specially crafted documents or email content. Security researchers highlighted that successful exploitation may occur when users open malicious files or interact with specially crafted content through affected Office applications. Given the widespread use of Outlook and Word in enterprise environments, these vulnerabilities present a significant risk for unauthorized system access, malware deployment, and further network compromise if left unpatched.[emaillocker id="1283"]

CVE-2026-45456 with a CVSS score of 8.4 : It is an type confusion vulnerability in Microsoft Word and Office that could allow arbitrary local code execution when a user opens specially crafted malicious content, potentially leading to unauthorized system access and compromise.

CVE-2026-45458 with a CVSS score of 8.4 : It is an use-after-free vulnerability in Microsoft Word where a freed memory object is referenced through a dangling pointer, potentially allowing arbitrary code execution.

CVE-2026-47635 with a CVSS score of 8.4 : It is an type confusion vulnerability in Microsoft Office that could allow an unauthorized attacker to execute arbitrary code locally through specially crafted content.

RECOMMENDATION:

• We recommend you to update Microsoft Outlook and Word Remote Code Execution Vulnerability to below version:
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45456
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45458
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47635

REFERENCES:

The following reports contain further technical details:

https://cybersecuritynews.com/microsoft-outlook-and-word-vulnerabilities/