CVE-2026-47635 – Microsoft Outlook and Word Remote Code Execution Vulnerability

CVE-2026-47635 is a Microsoft Outlook and Word Remote Code Execution vulnerability caused by a heap-based buffer overflow (CWE-122). The executive summary further describes the issue as an access of resource using incompatible type (type confusion) vulnerability within Microsoft Office functionality. The vulnerability can be exploited through Outlook (classic) because Outlook uses Microsoft Word components to render email content. Microsoft confirms that the Preview Pane is an attack vector, increasing exposure during normal email review activities.

CVSS Score: 8.4
SEVERITY: Critical
THREAT:
This vulnerability creates a significant risk for organizations that rely on Outlook for email communications. A specially crafted email could trigger memory corruption within the Word rendering engine used by Outlook (classic), potentially allowing an attacker to execute code on the affected system. Because email remains one of the most common attack delivery methods, this vulnerability presents a practical and potentially high-impact threat.

EXPLOITS:
The exploitability assessment is Exploitation Less Likely. The vulnerability is not publicly disclosed and not known to be exploited in the wild. Exploit Code Maturity is listed as Unproven, and no public proof-of-concept (PoC) code is identified in the available information.

TECHNICAL SUMMARY:
The vulnerability involves memory corruption within Microsoft Office functionality used by Microsoft Word and Outlook (classic). According to Microsoft, Outlook leverages Word components when rendering email content, making the vulnerability reachable through email processing. The issue is described as involving type confusion, where a resource is accessed using an incompatible type, potentially resulting in memory corruption and arbitrary code execution. The Preview Pane can trigger the vulnerable code path, increasing the attack surface during routine email handling.

EXPLOITABILITY:
Affected Microsoft Product: Microsoft Outlook (classic) and Microsoft Word
Affected software includes:
Microsoft Office LTSC 2024 for 32-bit editions
Microsoft Office LTSC 2024 for 64-bit editions
The attack vector is Local, with Low attack complexity, No privileges required, and No user interaction according to the CVSS metrics. The Preview Pane is confirmed as an attack vector, and exploitation can occur through Outlook’s use of Microsoft Word rendering functionality.

BUSINESS IMPACT:
Email is one of the most heavily used business applications and one of the most common avenues for cyberattacks. Successful exploitation could lead to malware installation, credential theft, unauthorized access to sensitive communications, and compromise of user endpoints. Because Outlook is often used by executives, administrators, and business-critical personnel, the impact of a successful attack could extend well beyond a single user.

WORKAROUND:
No workarounds are listed.
No mitigations are listed.

URGENCY:
This vulnerability is rated Critical with a CVSS v3.1 Base Score of 8.4. The Preview Pane is an attack vector, and the vulnerability can be triggered through Outlook’s email rendering functionality. Organizations should prioritize patching affected Office installations to reduce the risk of email-based code execution attacks.