Microsoft Patches Three Critical RCE Flaws in Outlook and Word Rendering Engine
Microsoft released fixes for three critical remote code execution vulnerabilities in Outlook and Word, stemming from memory-safety bugs in the Word rendering engine.
Microsoft has released critical security updates addressing three remote code execution (RCE) vulnerabilities in Microsoft Outlook and Word, all stemming from memory-safety flaws in the Word rendering engine. The vulnerabilities, tracked as CVE-2026-45456, CVE-2026-45458, and CVE-2026-47635, carry a CVSS v3.1 base score of 8.4, indicating high impact on confidentiality, integrity, and availability. Although the CVSS vector shows a local attack vector, Microsoft classifies them as remote code execution because an attacker can deliver malicious content over the network, such as via email, with the exploit triggering locally when Office processes the content.
The three vulnerabilities are rooted in unsafe memory handling within the Office document parsing pipeline. CVE-2026-45456 and CVE-2026-47635 involve type confusion, where internal data structures are accessed with an incompatible type, breaking type safety guarantees. A crafted document can manipulate object layout assumptions, causing the Word engine to interpret attacker-controlled data as a valid object or pointer, leading to controlled memory corruption. CVE-2026-45458 involves a use-after-free pattern, where Word frees a memory object but retains a dangling pointer; an attacker-crafted document can cause the freed region to be reallocated to attacker-controlled data, enabling code execution when the stale pointer is dereferenced.
A critical operational detail is that Outlook Classic uses Word as the rendering engine for email content, including in the Preview Pane. This means a specially crafted email body or attachment that triggers one of these memory-corruption paths can execute code merely when the message is rendered, without requiring the user to open an attachment explicitly. From a kill-chain perspective, a remote attacker can send a single weaponized email, rely on automatic rendering or user preview in Outlook, and achieve arbitrary code execution with the victim user's permissions. Because the vulnerabilities do not require additional privileges or explicit user interaction beyond normal rendering, a successful exploit can be chained with privilege-escalation or lateral-movement techniques to pivot deeper into the environment.
The affected scope includes Microsoft Office LTSC 2024 (32-bit and 64-bit) and other supported Word/Outlook builds that use the same rendering components. Microsoft's guidance stresses that customers must apply all applicable Office security updates to their installations, ensuring each product line receives its corresponding security package. Some Mac Office channels (Office LTSC for Mac 2021/2024 and Microsoft 365 for Mac) may receive patches slightly later, but they are part of the same remediation effort.
Patching remains the primary and non-negotiable mitigation, as these are core engine-level issues that cannot be fully neutralized by configuration changes alone. However, organizations can reduce exploitability and blast radius through layered controls. Hardening Outlook by disabling or limiting the Preview Pane for untrusted mailboxes, enforcing Protected View for files originating from the internet, and using Attack Surface Reduction (ASR) rules to restrict Office from spawning child processes can materially raise the bar for successful exploitation and post-compromise actions. On the detection side, security teams should watch for anomalous Word or Outlook processes exhibiting unusual memory-access violations, crashes when rendering specific messages, or suspicious child processes spawned from Office, which can be indicative of exploit attempts or successful code execution.
These vulnerabilities highlight the ongoing challenge of memory-safety bugs in widely used productivity software. As attackers increasingly target the Office ecosystem, timely patching and layered defenses remain critical for enterprise security. Microsoft's June 2026 Patch Tuesday addressed a record number of vulnerabilities, and these Outlook/Word flaws are among the most critical, given their potential for remote exploitation without user interaction.