Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
AnalysisAI
Use-after-free memory corruption in Microsoft Office Word enables local code execution with high privileges when victims open malicious documents. Affects Microsoft 365 Apps for Enterprise and Office LTSC 2021/2024 for Windows and Mac (versions below 16.108.26041219 for Mac; click-to-run editions require latest security updates). CVSS 7.8 reflects local attack vector requiring user interaction, but exploitation grants complete system compromise (confidentiality, integrity, availability all rated High). No public exploit identified at time of analysis, though use-after-free vulnerabilities are well-understood exploitation primitives. Vendor-released patch available through Microsoft security updates.
Technical ContextAI
This vulnerability stems from CWE-416 (Use After Free), a memory management defect where Microsoft Word's document parsing engine attempts to access heap memory after it has been deallocated. The affected component is the Word file format parser across multiple Microsoft Office product lines: Microsoft 365 Apps for Enterprise (subscription-based Office suite), Office LTSC 2021 and 2024 (perpetual license editions), and their Mac equivalents. Use-after-free conditions arise when object lifetime management fails during complex document parsing operations, leaving dangling pointers that reference freed memory. When an attacker crafts a malicious Word document to control the contents of the freed memory region and triggers the dangling pointer dereference, they can redirect execution flow to attacker-controlled code. The CVSS vector AV:L indicates local attack vector requiring file system access, while UI:R confirms user must open the weaponized document. PR:N means no authentication to the system is required-an unauthenticated user account can trigger the vulnerability. The vulnerability affects Word's core parsing routines used across all listed Office product variants, suggesting shared codebase or library components.
RemediationAI
Apply Microsoft security updates immediately through Windows Update or Microsoft AutoUpdate for Mac to address this vulnerability. For Microsoft Office LTSC for Mac 2021 and 2024, upgrade to version 16.108.26041219 or later which contains the complete fix. For Microsoft 365 Apps for Enterprise, Office LTSC 2021, and Office LTSC 2024 on Windows (click-to-run deployments), apply the latest security updates from https://aka.ms/OfficeSecurityReleases following Microsoft's standard update channels. Enterprise administrators should deploy updates through Microsoft Endpoint Configuration Manager, Group Policy, or Office Deployment Tool for centralized patch management. Until patching is complete, implement defense-in-depth controls including disabling macros in Office Trust Center settings, enabling Protected View for files from untrusted sources, restricting document execution through application control policies (AppLocker/Windows Defender Application Control), and conducting user awareness training on phishing threats involving weaponized Office documents. Verify successful patch deployment by checking Word version numbers in Help > About or through inventory management systems. Full remediation guidance available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33095.
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22615