Microsoft addresses severe vulnerability affecting multiple products. Attackers can exploit without authentication. Patch now.
Microsoft has released security updates addressing CVE-2026-21246, a critical vulnerability affecting multiple products. The vulnerability allows remote code execution. Attackers can exploit it without authentication. Organizations must apply patches immediately.
Affected Products
Microsoft has confirmed the following products are vulnerable:
- Windows 10 (version 21H2 and later)
- Windows 11 (all versions)
- Microsoft Office 2019 and 2021
- Microsoft 365 Apps
- Microsoft Edge (Chromium-based)
Severity and Impact
CVSS score: 9.8 (Critical)
Exploitation of this vulnerability could allow an attacker to execute arbitrary code with system privileges. No user interaction is required. Successful exploitation could lead to complete system compromise. Attackers could install programs, view, change, or delete data. They could create new accounts with full user rights.
Technical Details
The vulnerability exists in how Microsoft Windows handles objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. Users whose accounts are configured to have fewer user rights could be less impacted than those who operate with administrative user rights.
The vulnerability could be exploited through compromised websites or specially crafted documents. Attackers could also deliver malicious content via email attachments or instant messages.
Mitigation
Microsoft has released security updates to address this vulnerability. Organizations should apply the following updates immediately:
- Security Update for Windows 10 (KB5034441)
- Security Update for Windows 11 (KB5034443)
- Security Update for Microsoft Office (KB5034439)
Workarounds
If immediate patching is not possible, Microsoft recommends the following workarounds:
- Enable Enhanced Mitigation Experience Toolkit (EMET)
- Configure Microsoft Office to open files in Protected View
- Block Microsoft Office protocols from entering or leaving the network
Timeline
- Discovery: April 15, 2024
- Notification to Affected Vendors: April 16, 2024
- Public Disclosure: May 14, 2024
- Exploitation Detected: May 13, 2024
Additional Resources
For complete information on this vulnerability, refer to the official Microsoft Security Advisory MSRC-MSRC-46248.
Organizations experiencing issues with the updates should contact Microsoft Support directly. Additional guidance is available in the Microsoft Security Response Center blog.
Organizations should also review their security posture. Ensure all systems are patched regularly. Implement network segmentation. Deploy application whitelisting. Use the latest version of Microsoft security products.
Comments
Please log in or register to join the discussion