Description
Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.
Published: 2026-06-09
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An incompatible type access occurs when a Microsoft Office object is used with an unexpected type, a flaw referred to as type confusion. This flaw permits an attacker to run arbitrary code on the affected system with the privileges of the user who launches the compromised document. The Microsoft Office note identifies the vulnerability as leading to local code execution, thereby compromising confidentiality, integrity, and availability of the host machine.

Affected Systems

The flaw affects Microsoft Office LTSC 2024, specifically impacting the Outlook and Word applications. Any user consuming a malicious Office document created for this version is at risk.

Risk and Exploitability

The CVSS score of 8.4 classifies this as a high‑severity vulnerability. EPSS is not available, so the quantitative likelihood of exploitation cannot be determined, but the fact that the flaw causes local execution suggests a local user or attacker who can deliver a malicious document may succeed. The vulnerability is not listed in the CISA KEV catalog, implying no confirmed widespread exploitation yet. Given the lack of an explicit remote attack vector in the description, it is reasonable to infer that the primary exploitation path involves a user opening a crafted Office file, possibly via email or file share. If the vulnerability were to be exposed in a remote context, the risk would increase markedly.

Generated by OpenCVE AI on June 9, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft update available through the Microsoft Security Response Center update guide for CVE-2026-47635, which fixes the type‑confusion flaw (CWE‑122).
  • Adjust Office macro settings to ‘Disable all macros with notification’ or ‘Disable all macros except digitally signed ones’ to reduce the chance that malicious content exploits type‑confusion (CWE‑122).
  • Implement a zero‑trust policy by scanning all Office documents with an up‑to‑date anti‑malware solution and requiring user interaction only for files from trusted sources, mitigating the type‑confusion (CWE‑122) risk.

Generated by OpenCVE AI on June 9, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:office_2024:-:*:*:*:ltsc:-:x64:*
cpe:2.3:a:microsoft:office_2024:-:*:*:*:ltsc:-:x86:*

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.
Title Microsoft Outlook and Word Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft office 2024
Weaknesses CWE-122
CPEs cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
Vendors & Products Microsoft
Microsoft office 2024
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Office 2024
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-26T19:41:10.756Z

Reserved: 2026-05-19T20:12:27.070Z

Link: CVE-2026-47635

cve-icon Vulnrichment

Updated: 2026-06-10T10:25:05.477Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T17:17:35.417

Modified: 2026-06-11T18:36:10.110

Link: CVE-2026-47635

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T23:00:13Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow