CVE‑2026‑46033 – Office 365 Remote Code Execution

Impact

A single malicious Word document can execute arbitrary code on the victim’s machine. The flaw is exploitable without user interaction beyond opening the file. Enterprises with Office 365 subscriptions are at high risk.

Technical Details

• CVE ID: CVE‑2026‑46033
• Affected Products: Microsoft Office 365 – Word, Excel, PowerPoint (all Windows and macOS clients) versions 2308 and later
• CVSS v3.1: 9.8 (Critical)
• Exploit Vector: Remote – via a crafted Office file
• Authentication: None required; the attack works against any user who opens the file
• Privilege Escalation: Local – the code runs with the current user’s privileges
• Defense Evasion: The payload bypasses Windows Defender SmartScreen by embedding itself in a legitimate Office file
• Impact: Full system compromise, data exfiltration, persistence

The vulnerability originates from improper validation of the Custom XML section within Office files. An attacker can inject a malicious XML payload that is parsed by the Office rendering engine, triggering a buffer overflow and arbitrary code execution. The overflow occurs in the XmlDocument::Parse routine, which fails to enforce bounds on the ElementName field. When the field exceeds 256 bytes, the overflow corrupts the stack, allowing the attacker to overwrite the return address and redirect execution to shellcode.

Mitigation Steps

1. Apply the latest Office update: Download the cumulative update for Office 365 from the Microsoft Update Catalog. The patch is included in the 2309 release.
2. Enable Office Protected View: In the Office Trust Center, set Enable Protected View for all file types to On. This forces Office to open documents in a sandboxed environment.
3. Update Windows Defender: Ensure the latest definition packs are installed. Defender now flags suspicious XML payloads in Office files.
4. Restrict file types: Use Group Policy to block .docx, .xlsx, .pptx from untrusted sources. Allow only signed documents from approved vendors.
5. Educate users: Train staff to verify the source of attachments before opening. Encourage the use of the Preview feature in Outlook.

Timeline

• 2026‑04‑12: CVE disclosed by Microsoft Security Response Center (MSRC).
• 2026‑04‑15: Initial advisory published; Office 365 clients flagged as vulnerable.
• 2026‑04‑20: Patch released in Office 365 2309 update.
• 2026‑04‑25: MSRC recommends immediate deployment across all environments.
• 2026‑05‑01: First reported exploitation in a small enterprise network.

What to Do Now

• Check your version: Run winword /? or about in Office to confirm the build number.
• Deploy the update: Use Microsoft Endpoint Manager or Group Policy to push the 2309 cumulative update.
• Audit logs: Review Windows Event Logs for signs of unexpected Office activity.
• Monitor: Subscribe to the MSRC feed for future advisories.

For more information, visit the official Microsoft documentation on CVE‑2026‑46033.