CVE-2026-45456 – Microsoft Outlook and Word Remote Code Execution Vulnerability

CVE-2026-45456 is a Microsoft Outlook and Word Remote Code Execution vulnerability caused by CWE-843: Access of Resource Using Incompatible Type (Type Confusion). The flaw exists within Microsoft Office functionality used by Microsoft Word and can be exploited through Outlook (classic) when rendering email content. Microsoft confirms that the Preview Pane is an attack vector, making this vulnerability particularly concerning because routine email review activities may expose users to risk.

CVSS Score: 8.4
SEVERITY: Critical
THREAT:
This vulnerability enables code execution through Microsoft Office components used by Outlook (classic). Attackers may attempt to exploit the flaw using specially crafted email content designed to trigger memory corruption during email rendering. Because email remains one of the most common attack delivery mechanisms, this vulnerability presents a practical threat to organizations of all sizes.

EXPLOITS:
The exploitability assessment is Exploitation Less Likely. The vulnerability is not publicly disclosed and not known to be exploited in the wild. Exploit Code Maturity is listed as Unproven, and no public proof-of-concept (PoC) code is identified in the available information.

TECHNICAL SUMMARY:
The vulnerability is associated with a type confusion flaw, which occurs when software accesses a resource using an incompatible data type. This can lead to memory corruption and arbitrary code execution. Microsoft states that Outlook (classic) uses Microsoft Word functionality to render email content, making the vulnerability exploitable through Outlook even though the underlying issue exists within Word functionality. The Preview Pane can trigger the vulnerable code path, increasing exposure during normal email processing.

EXPLOITABILITY:
Affected Microsoft Product: Microsoft Outlook (classic), Microsoft Word, Microsoft Office, and Microsoft SharePoint
Affected software includes:
Microsoft 365 Apps for Enterprise (32-bit and 64-bit)
Microsoft Office 2019 (32-bit and 64-bit)
Microsoft Office LTSC 2021 (32-bit and 64-bit)
Microsoft Office LTSC 2024 (32-bit and 64-bit)
Microsoft Office LTSC for Mac 2021
Microsoft Office LTSC for Mac 2024
Microsoft Word 2016 (32-bit and 64-bit)
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Server 2019
Microsoft SharePoint Server Subscription Edition
The attack vector is Local, with Low attack complexity, No privileges required, and No user interaction according to the CVSS metrics. The Preview Pane is confirmed as an attack vector.

BUSINESS IMPACT:
Email remains one of the most heavily targeted business applications. Successful exploitation could allow malware deployment, unauthorized access to sensitive information, compromise of user endpoints, and further movement within the environment. Because Outlook is widely used across organizations, a vulnerability affecting email rendering can significantly increase organizational exposure.

WORKAROUND:
No workarounds are listed.
No mitigations are listed.

URGENCY:
This vulnerability is rated Critical with a CVSS v3.1 Base Score of 8.4. The Preview Pane is a confirmed attack vector, and the flaw can be triggered through Outlook’s email rendering functionality. Organizations should prioritize patching affected Office, Word, Outlook, and SharePoint deployments to reduce the risk of email-based code execution attacks.