Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
AnalysisAI
Memory corruption in Microsoft Office Word enables local code execution through a use-after-free flaw affecting Microsoft 365 Apps for Enterprise and Office LTSC 2021/2024 for Windows and Mac. Despite the local attack vector (AV:L), the vulnerability requires no privileges (PR:N) or user interaction (UI:N), allowing unauthorized attackers to execute arbitrary code with high impact to confidentiality, integrity, and availability (CVSS 8.4). Vendor-released patch available via Microsoft Security Response Center as of April 2026. No public exploit identified at time of analysis, though the technical simplicity (AC:L) and memory corruption primitive increase weaponization risk.
Technical ContextAI
This vulnerability stems from CWE-416 (Use After Free), a memory safety defect where the application continues to use a memory pointer after the referenced object has been deallocated. In Microsoft Word's document parsing or rendering engine, this occurs when processing specially crafted Office documents, causing the application to access freed heap memory. If an attacker can control the contents of the freed memory region through heap manipulation techniques (heap spraying, heap feng shui), they can redirect program execution flow to attacker-controlled code. The affected products span the entire modern Office ecosystem: Microsoft 365 Apps for Enterprise (version 16.0.1 and earlier), Office LTSC 2021 (version 16.0.1 and earlier), Office LTSC 2024 (version 16.0.0 and earlier), and their macOS equivalents. The CPE strings confirm this affects perpetual license products (LTSC) and subscription-based deployments (Microsoft 365), representing both enterprise and consumer installation bases across Windows and macOS platforms.
RemediationAI
Organizations should immediately apply security updates through Microsoft's official distribution channels. For macOS deployments, upgrade Microsoft Office LTSC for Mac 2021 and 2024 to version 16.108.26041219 or later. For Windows deployments of Microsoft 365 Apps for Enterprise and Office LTSC 2021/2024, consult the April 2026 security release guidance at https://aka.ms/OfficeSecurityReleases for specific patched build numbers. Enterprise environments using Microsoft Update, WSUS, or Configuration Manager should deploy the corresponding security update packages. Until patching is complete, restrict processing of Office documents from untrusted sources and consider application-level sandboxing or virtualization for high-risk document workflows. Disable automatic preview features in Windows Explorer and Outlook to prevent inadvertent file processing. The Microsoft Security Response Center update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33115 provides complete remediation instructions and detection guidance.
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22633