Skip to main content

Microsoft EUVDEUVD-2026-22633

| CVE-2026-33115 HIGH
Use After Free (CWE-416)
2026-04-14 microsoft
8.4
CVSS 3.1 · NVD
Temporal: 7.3
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
7.3 HIGH
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 19:37 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22633
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:58 nvd
HIGH 8.4

DescriptionCVE.org

Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.

AnalysisAI

Memory corruption in Microsoft Office Word enables local code execution through a use-after-free flaw affecting Microsoft 365 Apps for Enterprise and Office LTSC 2021/2024 for Windows and Mac. Despite the local attack vector (AV:L), the vulnerability requires no privileges (PR:N) or user interaction (UI:N), allowing unauthorized attackers to execute arbitrary code with high impact to confidentiality, integrity, and availability (CVSS 8.4). Vendor-released patch available via Microsoft Security Response Center as of April 2026. No public exploit identified at time of analysis, though the technical simplicity (AC:L) and memory corruption primitive increase weaponization risk.

Technical ContextAI

This vulnerability stems from CWE-416 (Use After Free), a memory safety defect where the application continues to use a memory pointer after the referenced object has been deallocated. In Microsoft Word's document parsing or rendering engine, this occurs when processing specially crafted Office documents, causing the application to access freed heap memory. If an attacker can control the contents of the freed memory region through heap manipulation techniques (heap spraying, heap feng shui), they can redirect program execution flow to attacker-controlled code. The affected products span the entire modern Office ecosystem: Microsoft 365 Apps for Enterprise (version 16.0.1 and earlier), Office LTSC 2021 (version 16.0.1 and earlier), Office LTSC 2024 (version 16.0.0 and earlier), and their macOS equivalents. The CPE strings confirm this affects perpetual license products (LTSC) and subscription-based deployments (Microsoft 365), representing both enterprise and consumer installation bases across Windows and macOS platforms.

RemediationAI

Organizations should immediately apply security updates through Microsoft's official distribution channels. For macOS deployments, upgrade Microsoft Office LTSC for Mac 2021 and 2024 to version 16.108.26041219 or later. For Windows deployments of Microsoft 365 Apps for Enterprise and Office LTSC 2021/2024, consult the April 2026 security release guidance at https://aka.ms/OfficeSecurityReleases for specific patched build numbers. Enterprise environments using Microsoft Update, WSUS, or Configuration Manager should deploy the corresponding security update packages. Until patching is complete, restrict processing of Office documents from untrusted sources and consider application-level sandboxing or virtualization for high-risk document workflows. Disable automatic preview features in Windows Explorer and Outlook to prevent inadvertent file processing. The Microsoft Security Response Center update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33115 provides complete remediation instructions and detection guidance.

Share

EUVD-2026-22633 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy