Microsoft has identified a critical security vulnerability affecting multiple products that could allow remote code execution. Organizations must apply patches immediately to prevent exploitation.
Microsoft has released security updates addressing a critical vulnerability affecting multiple products. The vulnerability, tracked as CVE-2026-46082, carries a CVSS score of 9.8 and could allow attackers to execute arbitrary code with system privileges.
Affected products include:
- Windows 10 (version 22H2 and later)
- Windows 11 (all versions)
- Microsoft Office 2021
- Microsoft 365 Apps for Enterprise
The vulnerability exists in the way Microsoft Windows handles objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system.
Microsoft has confirmed that this vulnerability is being actively exploited in the wild. Attackers are targeting the vulnerability through specially crafted documents and web content that could convince users to visit malicious websites.
Organizations must apply the security updates immediately. The updates are available through:
- Windows Update
- Microsoft Update
- Microsoft Update Catalog
- Microsoft Endpoint Manager
For enterprise deployments, Microsoft recommends using Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager to deploy the updates.
Organizations unable to immediately apply patches should implement the following mitigations:
- Block access to untrusted websites
- Use application control solutions to prevent unauthorized applications from running
- Enable the Windows Defender Exploit Guard
- Use the Enhanced Mitigation Experience Toolkit (EMET)
Microsoft has not provided information on whether the vulnerability will be addressed in future versions of affected products. Organizations should monitor the Microsoft Security Response Center for additional updates.
The security updates are scheduled for the next Patch Tuesday, but Microsoft has released them out of cycle due to the active exploitation. Organizations should prioritize deployment of these critical updates.
For detailed information on the specific updates, refer to the Security Update Guide provided by Microsoft.
This is a developing situation. Organizations should remain vigilant for any additional advisories from Microsoft regarding this vulnerability.
Comments
Please log in or register to join the discussion