CVE-2026-45458 – Microsoft Outlook and Word Remote Code Execution Vulnerability

CVE-2026-45458 is a Microsoft Outlook and Word Remote Code Execution vulnerability associated with CWE-416: Use After Free. The executive summary also describes the issue as a type confusion vulnerability in Microsoft Office that allows an unauthorized attacker to execute code locally. The flaw can be exploited through Outlook (classic) because Outlook uses Microsoft Word functionality to render email content. Microsoft confirms that the Preview Pane is an attack vector, increasing exposure during routine email review.

CVSS Score: 8.4
SEVERITY: Critical
THREAT:
This vulnerability creates a significant risk for organizations that rely heavily on email communications. An attacker could craft malicious content designed to trigger memory corruption when processed by Outlook’s Word-based rendering engine. Successful exploitation could allow code execution, potentially leading to malware deployment, credential theft, or unauthorized access to sensitive information.

EXPLOITS:
The exploitability assessment is Exploitation Less Likely. The vulnerability is not publicly disclosed and not known to be exploited in the wild. Exploit Code Maturity is listed as Unproven, and no public proof-of-concept (PoC) code is identified in the available information.

TECHNICAL SUMMARY:
The vulnerability affects Microsoft Office functionality used by Microsoft Word and Outlook (classic). Microsoft states that Outlook relies on Word components when rendering email content, making the vulnerability reachable through email processing. The source data identifies CWE-416: Use After Free, while the executive summary describes a type confusion condition. Both weakness types can result in memory corruption and arbitrary code execution. The Preview Pane can trigger the vulnerable code path, increasing the attack surface during normal email handling.

EXPLOITABILITY:
Affected Microsoft Product: Microsoft Outlook (classic), Microsoft Word, Microsoft Office, and Microsoft SharePoint
Affected software includes:
Microsoft 365 Apps for Enterprise (32-bit and 64-bit)
Microsoft Office 2019 (32-bit and 64-bit)
Microsoft Office 365 for Mac
Microsoft Office LTSC 2021 (32-bit and 64-bit)
Microsoft Office LTSC 2024 (32-bit and 64-bit)
Microsoft Office LTSC for Mac 2021
Microsoft Office LTSC for Mac 2024
Microsoft Word 2016 (32-bit and 64-bit)
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Server 2019
Microsoft SharePoint Server Subscription Edition
The attack vector is Local, with Low attack complexity, No privileges required, and No user interaction according to the CVSS metrics. The Preview Pane is confirmed as an attack vector.

BUSINESS IMPACT:
Email remains one of the most common methods used to target organizations. Successful exploitation could compromise user endpoints, expose sensitive communications, facilitate malware deployment, and provide attackers with an initial foothold inside the environment. Because Outlook is widely deployed across enterprises, this vulnerability could affect a large number of users if left unpatched.

WORKAROUND:
No workarounds are listed.
No mitigations are listed.

URGENCY:
This vulnerability is rated Critical with a CVSS v3.1 Base Score of 8.4. The Preview Pane is a confirmed attack vector, and the vulnerability can be triggered through Outlook’s email rendering functionality. Organizations should prioritize deployment of the security updates across affected Office, Word, Outlook, and SharePoint platforms.