Microsoft has released security updates to address a critical vulnerability affecting multiple products. The vulnerability could allow remote code execution.
Microsoft has released security updates to address CVE-2026-43298, a critical vulnerability affecting multiple Microsoft products. The vulnerability could allow an attacker to execute arbitrary code with elevated privileges.
Affected Products
The following Microsoft products are affected by CVE-2026-43298:
- Windows 10 (version 1903 and later)
- Windows 11 (all versions)
- Microsoft Office 2019 and Microsoft 365 Apps
- Microsoft Edge (Chromium-based)
- .NET Framework 3.5 and 4.x
Severity
CVSS Score: 8.8 (High) Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
The vulnerability has been rated as High severity due to its potential for remote code execution without requiring user interaction in some scenarios.
Vulnerability Details
CVE-2026-43298 is a memory corruption vulnerability in the way Microsoft Windows handles objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.
Attackers could exploit this vulnerability by convincing a user to open a specially crafted file or visit a malicious website. In an email attack scenario, an attacker could send a specially crafted document that is designed to exploit the vulnerability and then convince the user to open it.
Mitigation
Microsoft recommends the following actions:
Install Updates Immediately:
- Apply the security updates released on Patch Tuesday
- For Windows users, enable automatic updates through Windows Update settings
Workarounds:
- Disable the affected components in Microsoft Office
- Use Microsoft Office in protected view
- Configure Microsoft Edge to block pop-ups and untrusted sites
Additional Protections:
- Use Microsoft Defender Antivirus with up-to-date definitions
- Implement Application Control policies
- Enable Controlled Folder Access in Windows Defender
Timeline
- Discovery: October 2025
- Notification: November 2025
- Release Date: December 2025
- Exploit Status: No known public exploits at the time of release
References
Organizations should prioritize applying these updates, especially on systems that handle sensitive data or are accessible from untrusted networks.
Comments
Please log in or register to join the discussion