Description
Use after free in Microsoft Office Outlook allows an unauthorized attacker to execute code locally.
Published: 2025-12-09
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An use‑after‑free flaw in Microsoft Outlook allows an attacker to execute arbitrary code as the victim user. The flaw can be triggered by a crafted document or attachment that causes Outlook to free memory and later reuse stale data, leading to code execution. The likely attack vector is local user interaction – opening a malicious document or attachment is inferred from the description. This vulnerability gives the attacker full control of the affected system, allowing them to read, modify, or delete data, install malware, or pivot further within the network, consistent with CWE‑416.

Affected Systems

The flaw affects Microsoft 365 Apps for Enterprise, Microsoft Office 2019, the Long Term Servicing Channel builds of Office 2021 and 2024 (both Windows and macOS versions), Outlook and Word 2016, plus Microsoft SharePoint Enterprise Server 2016 and Microsoft SharePoint Server 2019. All versions of these products are affected unless explicitly patched, as the CNA did not provide narrower version ranges.

Risk and Exploitability

The CVSS score of 7.8 indicates a high risk if exploited, but the EPSS score of less than 1% suggests that exploitation attempts are currently rare. The vulnerability requires local user interaction – opening a malicious attachment – so it is less likely to be leveraged remotely. The vulnerability is not listed in CISA’s KEV catalog, indicating no confirmed public exploits. Nonetheless, the potential impact warrants timely remediation.

Generated by OpenCVE AI on April 20, 2026 at 16:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Office/Outlook security update available from Microsoft, following the guidance at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62562
  • Configure Outlook to use Safe Attachments and ensure that attachment scanning is enabled to prevent the opening of malicious documents
  • Advise users to avoid opening attachments from unknown senders and use email filtering to block suspicious files

Generated by OpenCVE AI on April 20, 2026 at 16:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Dec 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft office
Microsoft office Long Term Servicing Channel
Microsoft sharepoint Server
Microsoft word
CPEs cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:word:2016:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:word:2016:*:*:*:*:*:x86:*
Vendors & Products Microsoft office
Microsoft office Long Term Servicing Channel
Microsoft sharepoint Server
Microsoft word

Tue, 09 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
Description Use after free in Microsoft Office Outlook allows an unauthorized attacker to execute code locally.
Title Microsoft Outlook Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Microsoft word 2016
Weaknesses CWE-416
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:word_2016:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Microsoft word 2016
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Office Office 2019 Office 2021 Office 2024 Office Long Term Servicing Channel Office Macos 2021 Office Macos 2024 Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019 Word Word 2016
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-16T14:18:35.343Z

Reserved: 2025-10-15T17:11:21.221Z

Link: CVE-2025-62562

cve-icon Vulnrichment

Updated: 2025-12-09T20:17:13.986Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-09T18:16:02.110

Modified: 2025-12-09T21:30:44.590

Link: CVE-2025-62562

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:45:11Z

Weaknesses