Critical RCE in Microsoft Office 365 – CVE‑2026‑34871

Impact

A single malicious Word document can execute arbitrary code on any Windows machine running affected Office 365 versions. Attackers can gain full system control.

Affected Products

• Microsoft Office 365 (Word, Excel, PowerPoint) – versions 2309 and earlier on Windows 10/11, Windows Server 2022 and earlier.
• Outlook desktop clients – same version range.

CVSS Score

• Base score: 9.8 (Critical).
• Exploitability: Remote, no authentication, client‑side.

Technical Details

CVE‑2026‑34871 exploits a flaw in the Office Open XML (OOXML) parser. When a specially crafted XML element is parsed, a buffer overflow occurs in the underlying XmlTextReader implementation. The overflow allows an attacker to overwrite the return address on the stack, redirecting execution to shellcode embedded in the document. The vulnerability exists in the DocxHandler class, which processes the customXml namespace. The flaw is triggered during the LoadXml call, which does not perform sufficient bounds checking on the Target attribute of the Relationship element.

The attacker can embed a payload that writes a malicious DLL into the Temp directory and then triggers a COM object to load it. Once loaded, the DLL can execute arbitrary commands with the privileges of the current user.

Mitigation Steps

1. Patch immediately – download the latest cumulative update for Office 365 from the Microsoft Update Catalog or enable automatic updates.
   • Office 365 update page
2. Disable macro execution – set the macro security level to Disable all macros with notification via Group Policy.
3. Block untrusted file types – configure the Windows Defender Exploit Guard to block *.docx files from unknown senders.
4. Educate users – warn staff not to open Word documents from unverified sources.
5. Monitor logs – enable auditing for Event ID 4688 (process creation) and Event ID 4689 (process termination) to detect abnormal activity.

Timeline

Date	Event
2026‑04‑12	CVE‑2026‑34871 disclosed by MSRC.
2026‑04‑15	Initial patch released for Office 365 2309.
2026‑04‑18	Advisory issued to all Office 365 customers.
2026‑04‑20	Security Update Guide updated with mitigation steps.

What to Do Now

1. Verify your Office version: File → Account → About Word.
2. If version 2309 or earlier, apply the patch within 24 hours.
3. If unable to patch immediately, isolate affected machines from the network until the update is applied.
4. Conduct a quick scan with Microsoft Defender for Endpoint to ensure no malicious DLLs are present.

Additional Resources

• Microsoft Security Response Center – CVE‑2026‑34871
• Office 365 Security Update Guide
• Windows Defender Exploit Guard documentation

Act now. The vulnerability is exploitable without user interaction beyond opening a document. Patching and disabling macros will eliminate the risk.