Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.
AnalysisAI
Local code execution in Microsoft Office stems from a type confusion condition (CWE-122 heap-based memory corruption per tags) that allows an unauthorized attacker to run arbitrary code on the host. The CVSS 8.4 vector indicates local attack vector with no privileges or user interaction required, and no public exploit is identified at time of analysis. The flaw was reported by Microsoft's MSRC and disclosed via the official update guide.
Technical ContextAI
The vulnerability is rooted in CWE-122 (heap-based buffer overflow) realized through a type confusion primitive - Office code accesses a memory resource as one type when it was actually allocated or initialized as another, causing out-of-bounds heap reads/writes that corrupt adjacent objects (function pointers, vtables, or COM interfaces). Microsoft Office's document parsers (Word, Excel, PowerPoint, Outlook preview pane) historically expose this class of bug via complex binary formats (OLE/CFB, OOXML embedded objects, RTF, EMF) and embedded scripting/COM type marshaling. Successful triggering of the type confusion grants attacker-controlled writes that pivot to native code execution within the Office process context.
RemediationAI
Patch available per vendor advisory - apply the Microsoft security update for CVE-2026-47635 published through the MSRC Update Guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47635 via Microsoft Update, WSUS, Intune, or Click-to-Run channels as appropriate for each Office edition; specific KB/build numbers were not included in the input data and must be retrieved from the advisory. As compensating controls until patching completes, enforce Protected View for files from the Internet and Outlook attachments (side effect: users must explicitly enable editing, breaking some macro-driven workflows), enable Attack Surface Reduction rules such as 'Block Office applications from creating child processes' and 'Block Office applications from injecting code into other processes' via Microsoft Defender (side effect: may interfere with legitimate add-ins or automation), block inbound Office document file types at the email gateway or quarantine for sandbox detonation (side effect: business friction with external partners), and disable embedded object/OLE handling via Group Policy for the affected file formats where business processes permit (side effect: breaks documents that rely on embedded spreadsheets or charts).
More in Office 2024
View allLocal code execution in Microsoft Office Word arises from an untrusted pointer dereference (CWE-822) that can be trigger
Local code execution in Microsoft Office Word is possible when a user opens a maliciously crafted document that triggers
Local code execution in Microsoft Office is possible through a heap-based buffer overflow (CWE-122) that an unauthentica
Local code execution in Microsoft Office Word enables an attacker to run arbitrary code in the context of the current us
Local code execution in Microsoft Office Word is possible through an untrusted pointer dereference (CWE-125 out-of-bound
Local code execution in Microsoft Office is possible through a heap-based buffer overflow (CWE-122) that triggers when a
Local code execution in Microsoft Office is possible when a user opens a maliciously crafted document that triggers a he
Local code execution in Microsoft Office stems from a type confusion (CWE-843) flaw that allows an unauthenticated attac
Local code execution in Microsoft Office is possible via a heap-based buffer overflow that an unauthorized attacker can
Local code execution in Microsoft Office is possible through a heap-based buffer overflow that an unauthorized attacker
Local code execution in Microsoft Office via a heap-based buffer overflow allows an unauthorized attacker to run arbitra
Local code execution in Microsoft Office via a heap-based buffer overflow that lets an unauthorized attacker run arbitra
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35508
GHSA-qx8j-c4w9-7qr2