Description
Out-of-bounds read in Microsoft Office Word allows an unauthorized attacker to disclose information locally.
Published: 2026-04-14
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Information Disclosure
Action: Apply patch
AI Analysis

Impact

An out‑of‑bounds read flaw exists in Microsoft Office Word that can be triggered by a local attacker. The bug allows the attacker to read memory contents beyond the intended buffer, resulting in the disclosure of potentially sensitive data. This vulnerability, classified as CWE‑125, leads to a local information disclosure without requiring elevated privileges.

Affected Systems

Microsoft has identified the flaw in several Office product lines, including Microsoft 365 Apps for Enterprise, Microsoft Office LTSC for Mac 2021, and Microsoft Office LTSC for Mac 2024. The affected releases are not limited to a single version; any installation of these products that has not received the latest cumulative update is potentially vulnerable.

Risk and Exploitability

The CVSS base score of 6.1 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting a lower likelihood of widespread exploitation. The attack vector appears to be local, meaning an attacker who has access to the user account can trigger the flaw; remote attackers cannot exploit this issue directly. Administrative mitigation through patching reduces the risk to zero.

Generated by OpenCVE AI on April 14, 2026 at 19:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Implement the security update for Microsoft Word from the Microsoft Security Response Center.
  • Verify that all affected Office versions have the latest cumulative update installed.
  • Restrict the execution of unknown Office documents and enforce a whitelist of trusted sources.

Generated by OpenCVE AI on April 14, 2026 at 19:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description Out-of-bounds read in Microsoft Office Word allows an unauthorized attacker to disclose information locally.
Title Microsoft Word Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office Macos 2021
Microsoft office Macos 2024
Weaknesses CWE-125
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office Macos 2021
Microsoft office Macos 2024
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Office Macos 2021 Office Macos 2024
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-15T21:54:45.712Z

Reserved: 2026-03-24T00:52:01.351Z

Link: CVE-2026-33822

cve-icon Vulnrichment

Updated: 2026-04-14T19:35:36.460Z

cve-icon NVD

Status : Received

Published: 2026-04-14T18:17:34.590

Modified: 2026-04-14T18:17:34.590

Link: CVE-2026-33822

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:00:06Z

Weaknesses