Microsoft Patches Outlook and Word Flaws That Could Let Attackers Run Malicious Code

Microsoft has patched three critical remote code execution vulnerabilities affecting Outlook and Word. The flaws are tracked as CVE-2026-45456, CVE-2026-45458, and CVE-2026-47635.

The fixes were included in Microsoft’s June 9 Microsoft Office security updates. The vulnerabilities can allow an attacker to execute code with the victim’s permissions if Office processes malicious content.

The risk is serious because Outlook’s Preview Pane can trigger the attack path, according to CrowdStrike’s June 2026 Patch Tuesday analysis. That means a user may not need to manually open an attachment for malicious content to become dangerous.

What Microsoft fixed in Outlook and Word

All three vulnerabilities carry a CVSS v3.1 score of 8.4. The CVSS vector lists a local attack vector, but Microsoft and security vendors still treat the bugs as remote code execution issues because attackers can deliver malicious Office content over email or another network channel.

The flaws involve memory safety problems in Microsoft Office. These types of bugs can corrupt memory in ways that allow carefully crafted content to redirect execution flow and run attacker-controlled code.

CVE	Vulnerability type	CVSS score	Impact
CVE-2026-45456	Type confusion, CWE-843	8.4	Code execution through malicious Office content
CVE-2026-45458	Use-after-free, CWE-416	8.4	Code execution when Office processes crafted content
CVE-2026-47635	Heap-based buffer overflow, CWE-122	8.4	Code execution through memory corruption

Why the Outlook Preview Pane matters

The Outlook Preview Pane increases the practical risk because users often preview messages as part of normal email handling. In some Office vulnerabilities, rendering a malicious message or file preview can be enough to trigger vulnerable parsing code.

CrowdStrike said the Preview Pane is an attack vector for all three vulnerabilities. This makes patching more urgent for organizations that rely on classic Outlook in enterprise environments.

A successful exploit would run code in the context of the signed-in user. If that user has broad local rights, the attacker could gain a stronger foothold. Attackers could also chain the Office exploit with another vulnerability to escalate privileges or move laterally.

Affected Office products and update channels

Microsoft’s Office security update release notes list June 9 Word security fixes across supported Office channels. These include Microsoft 365 Apps, Office 2024, Office 2021, Office LTSC 2024, Office LTSC 2021, and Office 2019 volume licensed builds.

Administrators should not assume that one Office update covers every installed product line. Mixed environments may include Microsoft 365 Apps, LTSC builds, retail Office builds, and legacy volume licensed versions, each with its own update channel and build number.

• Check Microsoft 365 Apps update channels and build numbers.
• Update Office LTSC and volume licensed installations separately when needed.
• Confirm that Word and Outlook builds match the June security release level.
• Review unmanaged endpoints that may not receive Office updates automatically.

How organizations can reduce attack risk

Patching is the main fix. These flaws sit in Office’s document and content-processing path, so configuration changes cannot fully remove the risk. Still, layered controls can reduce exposure while updates roll out.

Organizations can use Microsoft Defender Attack Surface Reduction rules to restrict risky Office behavior, including Office apps creating child processes and Outlook creating child processes. These rules can limit what attackers do after code execution.

Microsoft’s Protected View guidance also explains why files from the internet, unsafe locations, and Outlook attachments may open in a restricted mode. Admins should keep these protections enabled for untrusted files and avoid training users to click through warnings.

Control	Why it helps
Apply Office security updates	Removes the vulnerable code path addressed by Microsoft.
Limit or disable Preview Pane for high-risk mailboxes	Reduces automatic rendering of suspicious email content.
Keep Protected View enabled	Adds restrictions for files from untrusted sources.
Enable ASR rules for Office and Outlook	Limits child processes and other post-exploit behavior.
Monitor Office crashes and child processes	Helps detect exploitation attempts or successful compromise.

What security teams should monitor

Security teams should watch for unusual Word or Outlook behavior after email rendering or document preview events. A crash loop tied to a specific email, attachment, or sender can indicate malformed content hitting a vulnerable parser.

Useful signals include Word or Outlook spawning suspicious child processes, Office opening command shells, unexplained PowerShell activity, or Office processes connecting to unfamiliar external hosts. Admins should compare these events with the ASR rule reference to decide which controls should run in audit or block mode.

Admins should also review Protected View settings across Word and Outlook attachments. Users should not disable Protected View globally just to avoid extra prompts, especially in environments that receive many outside documents.

Users should update Office as soon as possible

Home users and businesses should install the latest Office security updates as soon as they are available for their channel. Users should also avoid opening unexpected Word documents, previewing suspicious email, or enabling editing on files from unknown senders.

For businesses, the safest approach is to patch first, then harden Outlook and Office behavior through security policy. Preview Pane controls, Protected View, ASR rules, and endpoint monitoring all help, but they should support the update process, not replace it.

FAQ