Microsoft disclosed three critical vulnerabilities affecting Microsoft Outlook and Word on June 9, 2026, as part of its monthly coordinated security update.
Tracked as CVE-2026-45456, CVE-2026-45458, and CVE-2026-47635, each flaw carries a CVSS base score of 8.4 (Critical) and enables unauthorized attackers to execute arbitrary code on affected systems without requiring any privileges or user interaction.
Microsoft Outlook & Word RCE Flaws
All three CVEs share a near-identical attack profile: local attack vector, low complexity, no privilege requirements, and no user interaction, a combination that significantly elevates risk in enterprise and targeted environments.
- CVE-2026-45456 exploits a Type Confusion flaw (CWE-843), where Microsoft Office accesses a resource using an incompatible type, corrupting memory in a manner that enables arbitrary code execution
- CVE-2026-45458 leverages a Use-After-Free condition (CWE-416), a memory management flaw that allows attackers to reference already-freed memory and redirect program execution flow
- CVE-2026-47635 abuses a Heap-based Buffer Overflow (CWE-122), overwriting adjacent memory regions to seize control of the execution context
Each vulnerability shares a CVSS 3.1 vector of AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reflecting complete impact across confidentiality, integrity, and availability.
Despite the “Remote Code Execution” label in the CVE titles, Microsoft clarifies that the attack vector is local; the attacker or victim must execute code from the local machine.
The term “remote” refers to the attacker’s location, not the delivery mechanism. This class of exploit is also designated Arbitrary Code Execution (ACE).
Most critically, Microsoft confirmed that the Preview Pane in Outlook (classic) is a valid attack vector for all three vulnerabilities. This means a victim does not need to open or double-click a malicious file; simply previewing a crafted email in Outlook is sufficient to trigger exploitation.
This is possible because Outlook (classic) uses Microsoft Word’s rendering engine to display emails, meaning the root vulnerability lives in Word’s functionality but is fully reachable through Outlook’s interface, dramatically widening the attack surface.
As of publication, none of the three vulnerabilities have been publicly disclosed or actively exploited in the wild. CVE-2026-47635 is assessed as Exploitation Less Likely, and exploit code maturity is marked Unproven across all three CVEs. The remediation level is listed as Official Fix, with report confidence marked Confirmed.
Mitigation
Security teams should prioritize patching Microsoft Office LTSC 2024 installations immediately. Given the Preview Pane attack vector, organizations running Outlook (classic) face elevated risk even without any direct user interaction with malicious content.
Recommended actions:
- Apply the June 9, 2026 security updates across all affected Office installations without delay
- Monitor for anomalous Microsoft Office process behavior using EDR solutions
- Consider temporarily disabling the Preview Pane in Outlook for high-risk or sensitive environments
- Review and update email gateway filtering rules to block malformed or weaponized Office documents at the network perimeter
Organizations that delay patching remain exposed to potential exploitation through routine email workflows, making rapid remediation the single most effective defensive measure available.
No Comment! Be the first one.