Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Microsoft Office Use-After-Free Remote Code Execution Vulnerability

IdentifiersCVE-2026-32190CWE-416· Use After Free

CVE-2026-32190 is a Critical remote code execution vulnerability in Microsoft Office caused by a use-after-free condition. Microsoft classifies the weakness as CWE-416. According to the provided content, successful exploitation allows an unauthorized attacker to execute code locally. Although Microsoft titles this as a remote code execution issue, the supporting context states that the attack is carried out locally and that the 'Remote' designation refers to the attacker’s location rather than a network attack vector. The vulnerability is associated with document-borne exploitation scenarios, and Microsoft confirmed that the Preview Pane is an attack vector for this issue.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in arbitrary code execution in the context of the affected Microsoft Office application on the local machine. The provided Microsoft CVSS assessment indicates high impact to confidentiality, integrity, and availability, meaning an attacker could potentially read data, modify data, and disrupt system or application availability after code execution is achieved.

Mitigation

If you can’t patch tonight, do this now.

The provided content does not include a Microsoft-issued workaround beyond patching. As temporary risk reduction, organizations can limit exposure to untrusted Office documents and treat the Preview Pane as an exposure path, since Microsoft explicitly confirmed it is an attack vector for this vulnerability. Prioritize patching systems that process externally sourced Office content.

Remediation

Patch, then assume compromise.

Microsoft indicated that an official fix was available through the Microsoft Security Response Center Security Update Guide. Remediation is to apply the relevant Microsoft Office security update for CVE-2026-32190 across affected Office deployments, including Microsoft 365/Office installations covered by the April 2026 Patch Tuesday release.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft Corporation365 Appsapplication
Microsoft CorporationOfficeapplication
Microsoft CorporationOffice 2016application
Microsoft CorporationOffice 2019application
Microsoft CorporationOffice 2021application
Microsoft CorporationOffice 2024application
Microsoft CorporationOffice Long Term Servicing Channelapplication
Microsoft CorporationOffice Macos 2021application
Microsoft CorporationOffice Macos 2024application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
sophos threat researchNews
Apr 17, 2026
Microsoft addresses 163 CVEs, 88 advisories for April Patch Tuesday | SOPHOS

A critical Microsoft PowerPoint remote code execution vulnerability affecting Office and Microsoft 365, notable because the Preview Pane is an attack vector.

Read more
cyberthroneNews
Apr 15, 2026
Microsoft Patch Tuesday - April 2026 - TheCyberThrone

A critical use-after-free remote code execution vulnerability in Microsoft Office, likely exploitable through malicious documents.

Read more
talos intelligence blogNews
Apr 14, 2026
Microsoft Patch Tuesday for April 2026 - Snort Rule and Prominent Vulnerabilities

A critical use-after-free vulnerability in Microsoft Office that can result in local code execution.

Read more
msrc microsoftNews
Apr 14, 2026
CVE-2026-32190 - Security Update Guide - Microsoft - Microsoft Office Remote Code Execution Vulnerability

A critical use-after-free remote code execution vulnerability in Microsoft Office that allows an unauthorized attacker to execute code locally, including via the Preview Pane attack vector.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-32190
NVD
nvd.nist.gov/vuln/detail/CVE-2026-32190
MITRE CWE · CWE-416
Use After Free
Vendor Advisory
msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32190