Skip to main content

Microsoft CVE-2026-33095

| EUVDEUVD-2026-22615 HIGH
Use After Free (CWE-416)
2026-04-14 microsoft
7.8
CVSS 3.1 · NVD
Temporal: 6.8
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
6.8 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 19:23 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22615
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:57 nvd
HIGH 7.8

DescriptionCVE.org

Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.

AnalysisAI

Use-after-free memory corruption in Microsoft Office Word enables local code execution with high privileges when victims open malicious documents. Affects Microsoft 365 Apps for Enterprise and Office LTSC 2021/2024 for Windows and Mac (versions below 16.108.26041219 for Mac; click-to-run editions require latest security updates). CVSS 7.8 reflects local attack vector requiring user interaction, but exploitation grants complete system compromise (confidentiality, integrity, availability all rated High). No public exploit identified at time of analysis, though use-after-free vulnerabilities are well-understood exploitation primitives. Vendor-released patch available through Microsoft security updates.

Technical ContextAI

This vulnerability stems from CWE-416 (Use After Free), a memory management defect where Microsoft Word's document parsing engine attempts to access heap memory after it has been deallocated. The affected component is the Word file format parser across multiple Microsoft Office product lines: Microsoft 365 Apps for Enterprise (subscription-based Office suite), Office LTSC 2021 and 2024 (perpetual license editions), and their Mac equivalents. Use-after-free conditions arise when object lifetime management fails during complex document parsing operations, leaving dangling pointers that reference freed memory. When an attacker crafts a malicious Word document to control the contents of the freed memory region and triggers the dangling pointer dereference, they can redirect execution flow to attacker-controlled code. The CVSS vector AV:L indicates local attack vector requiring file system access, while UI:R confirms user must open the weaponized document. PR:N means no authentication to the system is required-an unauthenticated user account can trigger the vulnerability. The vulnerability affects Word's core parsing routines used across all listed Office product variants, suggesting shared codebase or library components.

RemediationAI

Apply Microsoft security updates immediately through Windows Update or Microsoft AutoUpdate for Mac to address this vulnerability. For Microsoft Office LTSC for Mac 2021 and 2024, upgrade to version 16.108.26041219 or later which contains the complete fix. For Microsoft 365 Apps for Enterprise, Office LTSC 2021, and Office LTSC 2024 on Windows (click-to-run deployments), apply the latest security updates from https://aka.ms/OfficeSecurityReleases following Microsoft's standard update channels. Enterprise administrators should deploy updates through Microsoft Endpoint Configuration Manager, Group Policy, or Office Deployment Tool for centralized patch management. Until patching is complete, implement defense-in-depth controls including disabling macros in Office Trust Center settings, enabling Protected View for files from untrusted sources, restricting document execution through application control policies (AppLocker/Windows Defender Application Control), and conducting user awareness training on phishing threats involving weaponized Office documents. Verify successful patch deployment by checking Word version numbers in Help > About or through inventory management systems. Full remediation guidance available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33095.

Share

CVE-2026-33095 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy