Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
Out-of-bounds read in Microsoft Office Word allows an unauthorized attacker to disclose information locally.
AnalysisAI
Out-of-bounds read in Microsoft Office Word enables local information disclosure when a user opens a malicious document, affecting Microsoft 365 Apps for Enterprise and Office LTSC for Mac 2021/2024. The vulnerability requires user interaction (document opening) but does not require elevated privileges, with a CVSS score of 6.1 reflecting moderate severity. Microsoft has released patches addressing this issue across affected product lines.
Technical ContextAI
This vulnerability is rooted in CWE-125 (Out-of-bounds Read), a memory safety issue in C/C++ applications where Word's document parsing routines fail to properly validate buffer boundaries when processing crafted Office documents. The out-of-bounds read occurs in the Word parser during file processing, allowing an attacker to read adjacent memory contents without modifying them. The affected products span Microsoft 365 Apps for Enterprise (16.x branch) and Office LTSC for Mac versions 2021 and 2024, as identified by the provided CPE strings. The vulnerability is localized to the application context (User = U in CVSS vector), meaning it affects only the Word process and the user running it, not system-wide security.
RemediationAI
Vendor-released patch available per Microsoft Security Response Center (MSRC). For Microsoft 365 Apps for Enterprise users, ensure automatic updates are enabled and apply the latest build greater than 16.0.1 via Windows Update or the Microsoft 365 admin center. For Office LTSC for Mac 2021 and 2024, update to build 16.108.26041219 or later by accessing Help > Check for Updates within Word or downloading the latest installer from Microsoft's Download Center. Users unable to patch immediately should avoid opening Word documents from untrusted sources, disable automatic opening of Office documents from email, and consider running Word in sandboxed environments when processing external documents. Detailed advisory available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33822.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22639
GHSA-9g7c-9hff-r47j