Skip to main content
Mallory
Back to vulnerabilities
High

Remote Code Execution Type Confusion in Microsoft Office via Outlook Classic/Word Rendering

IdentifiersCVE-2026-45456CWE-843· Access of Resource Using…

CVE-2026-45456 is a critical type confusion vulnerability in Microsoft Office, specifically in the Office document parsing and Word rendering pipeline used by Microsoft Word and by Outlook Classic for rendering email content. The flaw arises from access of a resource using an incompatible type, allowing attacker-controlled content to be interpreted as a valid object or pointer during document or message rendering. A specially crafted Office document, email body, or attachment can trigger memory corruption when processed by the vulnerable Word rendering functionality. Because Outlook Classic uses Word as its rendering engine, exploitation may occur when malicious content is rendered in the Preview Pane, without the user explicitly opening an attachment. Successful exploitation can result in arbitrary code execution in the context of the current user.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthorized attacker to achieve remote code execution in the security context of the victim user. Although Microsoft’s base description refers to local code execution, the supporting content indicates the exploit chain can be initiated remotely by delivering crafted content through email and having Outlook Classic or Word process it locally. This can enable execution of arbitrary code, follow-on malware deployment, persistence, data theft, and chaining with privilege escalation or lateral movement techniques.

Mitigation

If you can’t patch tonight, do this now.

Primary mitigation is patching, as this is a core engine-level flaw. Until updates are fully deployed, reduce exposure by disabling or limiting the Outlook Classic Preview Pane for untrusted mailboxes, avoiding preview or interaction with untrusted email content and Office documents, and enforcing Protected View for files originating from the internet. Attack Surface Reduction rules that restrict Office applications from spawning child processes can reduce exploitability and post-compromise activity. Defenders should also monitor for rendering crashes, memory-access violations, and suspicious child processes spawned by Word or Outlook.

Remediation

Patch, then assume compromise.

Install all applicable Microsoft security updates for affected Microsoft Office, Word, and Outlook components. Microsoft notes that some affected software may require multiple update packages and that administrators should ensure each installed Office product line and SKU receives its corresponding security package. Apply updates across supported Word and Outlook builds, including Office LTSC 2024 and other affected channels. For Office LTSC for Mac 2021, Office LTSC for Mac 2024, and Microsoft 365 for Mac, apply the vendor-provided update as soon as it becomes available.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft Corporation365 Appsapplication
Microsoft CorporationMicrosoft 365application
Microsoft CorporationOfficeapplication
Microsoft CorporationOffice 2016application
Microsoft CorporationOffice 2019application
Microsoft CorporationOffice 2021application
Microsoft CorporationOffice 2024application
Microsoft CorporationOffice 365application
Microsoft CorporationOffice Macos 2021application
Microsoft CorporationOffice Macos 2024application
Microsoft CorporationSharepoint Serverapplication
Microsoft CorporationSharepoint Server 2016application
Microsoft CorporationSharepoint Server 2019application
Microsoft CorporationWord 2016application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
cyber security newsNews
Jun 12, 2026
Microsoft Outlook and Word Vulnerability Allow Attackers to Execute Malicious Code

A critical remote code execution vulnerability in Microsoft Outlook and Word caused by type confusion in the Word rendering engine/document parsing pipeline.

Read more
cyberthroneNews
Jun 10, 2026
Microsoft Patch Tuesday - June 2026 - TheCyberThrone

A critical type confusion remote code execution vulnerability in Microsoft Office exploitable via the Outlook Classic preview pane.

Read more
malware newsNews
Jun 9, 2026
Microsoft Patch Tuesday for June 2026 - Snort rules and prominent vulnerabilities - Malware News - Malware Analysis, News and Indicators

A critical remote code execution vulnerability in Microsoft Office affecting Outlook and Word, caused by type confusion and reachable via Outlook classic preview pane/email rendering.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-45456
NVD
nvd.nist.gov/vuln/detail/CVE-2026-45456
MITRE CWE · CWE-843
Access of Resource Using Incompatible Type…
Vendor Advisory
msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45456