Description
Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Published: 2026-04-14
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Code Execution
Action: Immediate Patch
AI Analysis

Impact

An untrusted pointer dereference in Microsoft Office Word enables an attacker with local access to execute arbitrary code. Once exploited, the attacker can run code with the privileges of the user, potentially compromising the confidentiality, integrity, and availability of the affected system. The weakness is classified as CWE-822, a type of memory corruption that can lead to code execution.

Affected Systems

Affected products include Microsoft 365 Apps for Enterprise, Office LTSC 2021, Office LTSC 2024, Office LTSC for Mac 2021, and Office LTSC for Mac 2024. All versions of these products that contain the vulnerable Word component are impacted. Specific patch versions are not listed in the data, so any current installation is potentially vulnerable.

Risk and Exploitability

The CVSS score of 8.4 reflects a high severity vulnerability. No EPSS score or KEV listing is available, indicating that public exploitation evidence may be limited at this time. The attack likely requires local access to trigger the pointer dereference, meaning it is a local code execution risk rather than a remotely exploitable RCE. The exploit path involves corrupting memory through untrusted input processed by Word, which can then lead to arbitrary code execution.

Generated by OpenCVE AI on April 14, 2026 at 19:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft security update for Office applications provided in the CVE-2026-33114 update guide.
  • Ensure all installations of Microsoft 365 Apps for Enterprise and all Office LTSC editions are updated with the latest patches.
  • If immediate patching is not feasible, restrict user permissions on Word documents, disable macros, and isolate document processing on trusted machines.

Generated by OpenCVE AI on April 14, 2026 at 19:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Title Microsoft Word Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Weaknesses CWE-822
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Office 2021 Office 2024 Office Macos 2021 Office Macos 2024
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-15T21:55:30.958Z

Reserved: 2026-03-17T20:15:23.720Z

Link: CVE-2026-33114

cve-icon Vulnrichment

Updated: 2026-04-14T18:20:44.239Z

cve-icon NVD

Status : Received

Published: 2026-04-14T18:17:33.510

Modified: 2026-04-14T18:17:33.510

Link: CVE-2026-33114

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:41:09Z

Weaknesses