A critical zero‑day flaw in Microsoft Office 365 allows remote code execution via malicious document attachments. Immediate patching required for all affected clients.
Microsoft Office 365 CVE‑2026‑41082: Immediate Action Required
Impact
- Remote code execution on any Windows or macOS device that opens a crafted Office document.
- All users of Microsoft 365, including Office Online, are vulnerable.
- Attackers can gain full system control, install malware, or exfiltrate data.
Technical Details
CVE‑2026‑41082 is a heap corruption flaw in the Office document parser. The vulnerability is triggered when a specially crafted OLE2 stream is processed. The attacker crafts a document that overflows a buffer in the XPSDocument component, overwriting function pointers. Once the buffer is overwritten, arbitrary code runs with the privileges of the current user.
The flaw exists in Office 365 versions 2305 and earlier for Windows, macOS, and the web interface. It also affects Outlook Desktop when opening malicious attachments. Microsoft assigns a CVSS v3.1 score of 9.8 (Critical).
Timeline
- 2026‑04‑15: Microsoft publishes the advisory and releases the first cumulative update.
- 2026‑04‑18: Security researchers confirm exploitation in the wild.
- 2026‑04‑20: Microsoft releases a targeted update for Office 365 tenants.
- 2026‑05‑01: All affected versions are fully patched.
Mitigation Steps
- Update immediately. Download the latest Office 365 update from the Microsoft Update Catalog or let automatic updates install.
- If auto‑updates are disabled, run
OfficeC2RClient.exe /updatenowon Windows or use the Office installer on macOS. - For Office Online users, clear browser cache and force a re‑login to ensure the latest security token is used.
- Disable Macro execution in Office settings until the patch is verified.
- Deploy group policy to block opening of documents from unknown senders:
Computer Configuration → Administrative Templates → Microsoft Office → Security → Block opening of attachments from unknown senders. - Monitor event logs for
Event ID 1001indicating a failed document parse attempt.
Verification
After updating, verify the patch by checking the Office version:
- Windows:
File → Account → About Word. - macOS:
Word → About Word. - Office Online:
Help → About Microsoft 365.
If the version number shows 2306 or later, the patch is applied.
Further Resources
- Microsoft Security Advisory: CVE‑2026‑41082
- Office 365 Security Update Guide
- CVE Details
- GitHub – Office Vulnerability Research
Act now. Failure to patch exposes your organization to immediate compromise.
Comments
Please log in or register to join the discussion