Microsoft Addresses Critical Vulnerability CVE-2026-43308 in Multiple Products

Microsoft has released critical security updates to address a vulnerability that could allow attackers to execute arbitrary code on affected systems. The vulnerability, tracked as CVE-2026-43308, affects multiple Microsoft products including Windows, Office, and Azure services.

Affected Products

The vulnerability impacts the following Microsoft products:

• Windows 10 (version 21H2 and later)
• Windows 11 (all versions)
• Microsoft Office 2019 and 2021
• Microsoft 365 Apps
• Azure DevOps Server
• Azure Resource Manager

Vulnerability Details

CVE-2026-43308 is a remote code execution vulnerability in the way Microsoft software handles specially crafted files. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user.

The vulnerability exists in the Microsoft Office Graphics component. When a user opens a specially crafted Office document, the vulnerability could allow remote code execution. Attackers could then install programs, view, change, or delete data, or create new accounts with full user rights.

Severity Assessment

Microsoft has assigned a CVSS score of 8.8 to this vulnerability, classifying it as "High" severity. The vulnerability requires user interaction but does not require authentication, making it particularly dangerous in targeted attacks.

Mitigation Steps

Microsoft recommends the following immediate actions:

1. Install Updates Immediately: Apply the security updates released as part of the January 2026 Security Updates. The updates are available through Windows Update and the Microsoft Update Catalog.

2. Enable Protected View: Configure Office applications to open files in Protected View by default. This setting blocks active content from running in documents downloaded from the internet.

3. Restrict File Access: Implement strict controls on document access, particularly for files received from untrusted sources.

4. Network Segmentation: Isolate critical systems from general networks to limit potential attack surfaces.

Timeline

• Discovery: Vulnerability reported to Microsoft in November 2025
• Patch Release: January 12, 2026 (as part of monthly security updates)
• Public Disclosure: January 14, 2026 (coordinated with release of patches)

Additional Resources

For more information about this vulnerability, refer to the following resources:

• Microsoft Security Advisory CVE-2026-43308
• January 2026 Security Updates
• CISA Alert AA26-001A

Organizations should prioritize patching systems that handle sensitive data or are exposed to untrusted networks. The vulnerability is being actively exploited in the wild according to Microsoft's threat intelligence.