CVE-2026-23657 - Vulnerability Details

- Microsoft Word Remote Code Execution Vulnerability

Description

Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.

Published: 2026-04-14

Score: 7.8 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Microsoft

Microsoft 365 Apps for Enterprise

affected

Version	Status	Constraints
`16.0.1`	affected	< https://aka.ms/OfficeSecurityReleases

Microsoft

Microsoft Office LTSC 2024

affected

Version	Status	Constraints
`16.0.0`	affected	< https://aka.ms/OfficeSecurityReleases

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23657

History

Tue, 14 Apr 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Title		Microsoft Word Remote Code Execution Vulnerability
First Time appeared		Microsoft Microsoft 365 Apps Microsoft office 2024
Weaknesses		CWE-416
CPEs		cpe:2.3:a:microsoft:365_apps:::::enterprise:::* cpe:2.3:a:microsoft:office_2024:::::long_term_servicing_channel:::*
Vendors & Products		Microsoft Microsoft 365 Apps Microsoft office 2024
References		https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23657
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}`

Subscriptions

Microsoft 365 Apps Office 2024

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2026-04-14T16:57:52.448Z

Updated: 2026-04-15T03:56:52.246Z

Reserved: 2026-01-14T16:59:33.463Z

Link: CVE-2026-23657

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-14T18:16:44.327

Modified: 2026-04-14T18:16:44.327

Link: CVE-2026-23657

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-416

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object