Skip to main content

Microsoft EUVDEUVD-2026-22639

| CVE-2026-33822 MEDIUM
Out-of-bounds Read (CWE-125)
2026-04-14 microsoft GHSA-9g7c-9hff-r47j
6.1
CVSS 3.1 · NVD
Temporal: 5.3
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
5.3 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Apr 14, 2026 - 19:42 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22639
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:57 nvd
MEDIUM 6.1

DescriptionCVE.org

Out-of-bounds read in Microsoft Office Word allows an unauthorized attacker to disclose information locally.

AnalysisAI

Out-of-bounds read in Microsoft Office Word enables local information disclosure when a user opens a malicious document, affecting Microsoft 365 Apps for Enterprise and Office LTSC for Mac 2021/2024. The vulnerability requires user interaction (document opening) but does not require elevated privileges, with a CVSS score of 6.1 reflecting moderate severity. Microsoft has released patches addressing this issue across affected product lines.

Technical ContextAI

This vulnerability is rooted in CWE-125 (Out-of-bounds Read), a memory safety issue in C/C++ applications where Word's document parsing routines fail to properly validate buffer boundaries when processing crafted Office documents. The out-of-bounds read occurs in the Word parser during file processing, allowing an attacker to read adjacent memory contents without modifying them. The affected products span Microsoft 365 Apps for Enterprise (16.x branch) and Office LTSC for Mac versions 2021 and 2024, as identified by the provided CPE strings. The vulnerability is localized to the application context (User = U in CVSS vector), meaning it affects only the Word process and the user running it, not system-wide security.

RemediationAI

Vendor-released patch available per Microsoft Security Response Center (MSRC). For Microsoft 365 Apps for Enterprise users, ensure automatic updates are enabled and apply the latest build greater than 16.0.1 via Windows Update or the Microsoft 365 admin center. For Office LTSC for Mac 2021 and 2024, update to build 16.108.26041219 or later by accessing Help > Check for Updates within Word or downloading the latest installer from Microsoft's Download Center. Users unable to patch immediately should avoid opening Word documents from untrusted sources, disable automatic opening of Office documents from email, and consider running Word in sandboxed environments when processing external documents. Detailed advisory available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33822.

Share

EUVD-2026-22639 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy