Description
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Published: 2026-04-14
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An attacker can trigger a use‑after‑free error in Microsoft Word by opening a specially crafted document. The flaw permits execution of arbitrary code with the privileges of the current user, effectively granting an attacker full control over the affected system. This vulnerability is classified under CWE‑416 and results in a loss of confidentiality, integrity, and availability.

Affected Systems

The vulnerability affects Microsoft 365 Apps for Enterprise, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021, and Microsoft Office LTSC for Mac 2024. No specific sub‑versions are listed, so all releases in these product lines are potentially impacted.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, and while EPSS data is not provided, the lack of KEV listing suggests no known extant exploits yet. However, the flaw can be triggered remotely by delivering a malicious document, commonly via email or shared network locations. Because the attack requires user interaction to open the document, the risk is moderate to high for environments that do not enforce strict attachment filtering. Once triggered, the attacker can inject and run code, leading to complete system compromise.

Generated by OpenCVE AI on April 14, 2026 at 19:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security updates from Microsoft for Office 365 and Office LTSC 2021 and 2024, including the patch for CVE-2026-33095.
  • Ensure that all Office installations are kept up to date by enabling automatic updates or regularly checking the Microsoft Security Update Guide.

Generated by OpenCVE AI on April 14, 2026 at 19:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Title Microsoft Word Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Weaknesses CWE-416
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Office 2021 Office 2024 Office Macos 2021 Office Macos 2024
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-15T21:54:42.655Z

Reserved: 2026-03-17T20:15:23.718Z

Link: CVE-2026-33095

cve-icon Vulnrichment

Updated: 2026-04-14T19:29:26.400Z

cve-icon NVD

Status : Received

Published: 2026-04-14T18:17:31.390

Modified: 2026-04-14T18:17:31.390

Link: CVE-2026-33095

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:00:06Z

Weaknesses