CVE-2026-55132 – Microsoft Word Remote Code Execution Vulnerability
“A single Word document can become a powerful attack tool when memory corruption flaws are left exposed.”
A double-free vulnerability in Microsoft Word allows an unauthorized attacker to execute arbitrary code on a local system. An attacker must deliver a specially crafted Office document and convince a user to open it. Microsoft also confirms that the Preview Pane is an attack vector, which increases the risk during routine document handling.
CVSS Score: 7.8
SEVERITY: Critical
THREAT:
This vulnerability allows an attacker to execute arbitrary code through a specially crafted Microsoft Word document. The malicious file could be delivered through phishing email, collaboration platforms, or file-sharing services. Successful exploitation could allow the attacker to run code with the privileges of the affected user.
EXPLOITS:
The vulnerability was not publicly disclosed at the time of publication. Microsoft assesses exploitation as less likely. The CVSS v3.1 temporal metrics list exploit code maturity as Unproven, and the available information does not confirm the existence of public proof-of-concept exploit code.
TECHNICAL SUMMARY:
The vulnerability is caused by a double-free memory management flaw (CWE-415) in Microsoft Word. A double-free condition occurs when the application attempts to release the same memory location more than once, which can corrupt memory and create conditions for arbitrary code execution. A specially crafted Office document can trigger this flaw when opened or processed through the Preview Pane. The attack is carried out locally after the malicious file is processed.
EXPLOITABILITY:
Affected products include Microsoft 365 Apps for Enterprise, Microsoft Office 2019, Microsoft Office 365 for Mac, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021 and 2024, Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, Microsoft SharePoint Server Subscription Edition, and Microsoft Word 2016. Exploitation requires no attacker privileges but does require user interaction.
BUSINESS IMPACT:
Successful exploitation could allow attackers to install malware, steal sensitive information, modify files, or use the compromised system as a foothold for further attacks. Because Word documents are widely exchanged across organizations, this vulnerability presents a serious phishing and document-based attack risk.
WORKAROUND:
No mitigations or workarounds are available.
URGENCY:
This vulnerability should be deployed urgently because it is rated Critical and can lead to arbitrary code execution. The Preview Pane is also an attack vector, increasing exposure during routine document handling even before a file is fully opened.
Key Details
- Attack Vector
- Local
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- Required
- CWE Classification
- CWE-415