Microsoft Patches Critical Office and Outlook Preview Pane RCE Flaws
Microsoft has released fixes for multiple critical Microsoft Office, Word, and Outlook Classic vulnerabilities that can lead to remote code execution when a victim opens or previews a specially crafted file or email. The affected flaws include Office bugs CVE-2025-49695, CVE-2025-49696, CVE-2025-49697, CVE-2025-49699, CVE-2025-49702, Word bug CVE-2025-49698, and newer Outlook/Word rendering issues CVE-2026-45456, CVE-2026-45458, and CVE-2026-47635. Microsoft described the bugs as stemming from memory-safety issues such as use-after-free, heap-based buffer overflow, type confusion, and out-of-bounds read, with several carrying CVSS 8.4 ratings. In multiple cases, Microsoft said the Preview Pane can trigger exploitation, and some flaws may be exploited without additional user interaction once malicious content is rendered.
Microsoft said the vulnerable code paths affect Office and Word components, including the Word rendering engine used by Outlook Classic, and that supported builds such as Microsoft Office LTSC 2024 and Mac Office LTSC channels received updates, with some Mac patches arriving later. Most of the 2025 flaws were not publicly disclosed or exploited at publication, though Microsoft assessed some as more likely to be exploited; the 2026 Outlook and Word issues similarly prompted urgent patching guidance because remotely delivered email content can trigger local processing and code execution. Microsoft urged organizations to install all applicable updates and strengthen defenses around Office email handling, including Protected View, Attack Surface Reduction rules, and monitoring for suspicious Office child-process activity.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Microsoft releases fixes for three Outlook and Word RCE flaws
Microsoft released fixes for CVE-2026-45456, CVE-2026-45458, and CVE-2026-47635 affecting the Word rendering engine and its integration with Outlook Classic. The flaws could allow code execution during rendering of a malicious email or document, including via the Preview Pane.
Microsoft makes Mac Office LTSC updates available
On July 15, 2025, Microsoft updated the affected CVE advisories to note that security updates for Microsoft Office LTSC for Mac 2021 and 2024 were available. This applied across the disclosed Office and Excel vulnerabilities in the reference set.
Microsoft discloses six Office flaws and one Excel flaw
On July 8, 2025, Microsoft published advisories for CVE-2025-49695, CVE-2025-49696, CVE-2025-49697, CVE-2025-49698, CVE-2025-49699, CVE-2025-49702, and CVE-2025-48812. The disclosures described multiple Office remote code execution issues and one Excel information disclosure flaw, with Microsoft stating they were not publicly disclosed or exploited at publication time.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Microsoft Outlook and Word Vulnerability Allow Attackers to Execute Malicious Code
cybersecuritynews.com
Open sourceCVE-2025-48812 - Security Update Guide - Microsoft - Microsoft Excel Information Disclosure Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-49699 - Security Update Guide - Microsoft - Microsoft Office Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-49697 - Security Update Guide - Microsoft - Microsoft Office Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-49698 - Security Update Guide - Microsoft - Microsoft Word Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-49695 - Security Update Guide - Microsoft - Microsoft Office Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-49702 - Security Update Guide - Microsoft - Microsoft Office Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-49696 - Security Update Guide - Microsoft - Microsoft Office Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Patches Multiple Office, Word, and Outlook RCE Flaws
Microsoft disclosed and patched several remote code execution vulnerabilities affecting **Microsoft Office**, **Word**, and **Outlook**, including `CVE-2025-49698`, `CVE-2025-49702`, `CVE-2025-54906`, `CVE-2025-62554`, `CVE-2025-62557`, `CVE-2025-62558`, and `CVE-2025-62562`. The advisories identify repeated RCE issues across core productivity applications, with separate entries for Office-wide flaws as well as product-specific weaknesses in Word and Outlook. The cluster of disclosures indicates a sustained stream of code-execution bugs in Microsoft’s document and messaging ecosystem, raising the risk of compromise through malicious files or email content handled by widely deployed enterprise software. Organizations using Microsoft 365 and on-premises Office components should prioritize the relevant security updates and verify patch coverage for Office, Word, and Outlook installations across user endpoints.
May 25, 2026
Microsoft Patches Critical Office and Word Use-After-Free RCE Flaws
Microsoft disclosed and fixed two critical use-after-free vulnerabilities affecting **Microsoft Office** and **Microsoft Word**: `CVE-2026-40358` and `CVE-2026-40366`. Both bugs are classified as **CWE-416** and carry a **CVSS 8.4** rating, with Microsoft assessing impacts to confidentiality, integrity, and availability as high. The company said neither flaw had been publicly disclosed or exploited in the wild at the time of publication, and it rated exploitation as less likely. Microsoft said the vulnerabilities can lead to remote code execution, although the attack vector is described as **local**, with the **Preview Pane** able to serve as an attack path when malicious content is handled. The disclosures continue a broader pattern of Microsoft patching multiple remote code execution issues across its product line, including earlier Office flaws such as `CVE-2024-30101`, `CVE-2025-24080`, and `CVE-2025-59234`, as well as RCE bugs in Windows Connected Devices Platform Service, Remote Desktop Protocol, and Inbox COM Objects.
Jun 21, 2026
Microsoft Patch Tuesday Fixes Critical Office Preview Pane RCE Flaws
Microsoft released March Patch Tuesday security updates addressing nearly 80 vulnerabilities, including critical Microsoft Office remote code execution issues that can be triggered via the Windows **Preview Pane**. TechRepublic highlighted two Office flaws—**CVE-2026-26113** and **CVE-2026-26110**—where simply previewing a malicious document can lead to attacker-controlled code execution, creating a low-friction initial access path for enterprise endpoints. Cybersecurity News provided additional technical detail on **CVE-2026-26110**, describing it as a **type confusion** bug (CWE-843) with a **CVSS 8.4** rating affecting Office across **Windows, macOS, and Android**. The write-up notes that while Microsoft labels it “remote code execution,” exploitation requires the payload to execute on the local machine (i.e., attacker code runs locally after the victim triggers the vulnerable processing), and emphasizes the risk that Preview Pane handling can enable compromise without the user opening the document in the traditional sense.
Mar 21, 2026