Microsoft Addresses Critical CVE-2026-8711 Vulnerability in Multiple Products

Microsoft has released security updates to address CVE-2026-8711, a critical vulnerability affecting multiple products. The vulnerability could allow an attacker to execute arbitrary code with elevated privileges.

The vulnerability exists in the way Microsoft software handles certain objects in memory. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of the affected system.

Affected products include:

• Windows 10 Version 21H2
• Windows 11 Version 22H2
• Windows Server 2022
• Microsoft Office 2021
• Microsoft Office LTSC 2021
• Microsoft 365 Apps for Enterprise

The vulnerability has been assigned a CVSS score of 8.8, indicating high severity. Exploitation could allow an attacker to compromise affected systems and install programs, view, change, or delete data, or create new accounts with full user rights.

Microsoft recommends customers apply the security updates immediately. The updates are available through the Microsoft Update Catalog, Windows Update, and Microsoft Update.

For systems that cannot be updated immediately, Microsoft has provided additional mitigations:

1. Enable Enhanced Mitigation Experience Toolkit (EMET)
2. Implement network segmentation to limit exposure
3. Configure Microsoft Defender Antivirus to detect potential exploitation attempts

Organizations should review the Security Update Guide for detailed information about the vulnerability and remediation steps.

The security updates are being delivered as part of the regular Patch Tuesday cycle. Organizations using enterprise management systems should deploy the updates through their standard change management processes.

Customers experiencing issues with the updates should contact Microsoft Support. Additional information is available in the Microsoft Security Advisory.

Microsoft continues to investigate the vulnerability and will provide additional information as it becomes available. Organizations should monitor the MSRC blog for updates.