HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-47635Published Modified CNA microsoft

CVE-2026-47635: Microsoft Outlook and Word Remote Code Execution Vulnerability

Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.

Metrics

CVSS v3.1
8.4
Severity
HIGH
Fixed in
https://aka.ms/OfficeSecurityReleases
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A type confusion vulnerability in Microsoft Office (Outlook and Word) allows an attacker with access to the host to execute arbitrary code without any authentication or user interaction. The flaw is reachable locally, meaning the attacker needs an existing foothold on the affected system, and successful exploitation grants full code execution with the privileges of the running application. A patched-image rebuild at the fixed version is available on HarborGuard for environments running an affected version of Microsoft Office LTSC 2024.

HarborGuard Coverage

Detection

Detection of CVE-2026-47635 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle Microsoft Office LTSC 2024 components. Any image in a connected registry or CI pipeline running an affected version (16.0.0 up to the fix release) is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 8.4 HIGH using the CVSS v3.1 vector and can weight that score against each customer organization's compliance policy to determine urgency and routing. Triage findings are routed to the appropriate team inbox within each customer org based on configured ownership rules.

Available
Patch

A patched-image rebuild targeting the fix version referenced at https://aka.ms/OfficeSecurityReleases becomes available on HarborGuard once the upstream release is resolvable. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network-facing exposure is required to trigger the vulnerability.

  • AuthenticationNot required

    No account or credentials are required; the vulnerability is reachable by any process or user with local access to the affected system.

  • Victim interactionNot required

    Exploitation does not require any action from another user on the system; the attacker can trigger the type confusion directly.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental preconditions.

Blast Radius

  • Reads sensitive files and data accessible to the Office process, including stored credentials, documents, and application data.
  • Modifies or overwrites files and application state accessible under the current user or process context.
  • Crashes or destabilizes the affected Office application and any dependent processes.
  • Executes attacker-supplied code at the privilege level of the compromised Office process, enabling further lateral movement on the host.

How HarborGuard Handles This

Available on HarborGuard: images containing Microsoft Office LTSC 2024 at any version from 16.0.0 prior to the fix release are flagged against CVE-2026-47635 as soon as the CVE is ingested. Where the fix version resolves from the upstream release page (https://aka.ms/OfficeSecurityReleases), a patched-image rebuild becomes available immediately. For customers who opt into auto-remediation, HarborGuard triggers a rebuild at the patched version, runs regression tests, and opens a pull request against affected workloads; for HIGH-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers not using auto-remediation can review the flagged findings in their HarborGuard dashboard and initiate a manual rebuild. Because the attack vector is local (AV:L), compensating controls such as restricting shell access to the container, enforcing least-privilege process execution, and applying runtime security policies to block unexpected child processes can reduce exposure while a rebuild is staged.

See how HarborGuard automates this

Fix available

https://aka.ms/OfficeSecurityReleases
Patch commits
Affected packages
  • Microsoft / Microsoft Office LTSC 2024
    < https://aka.ms/OfficeSecurityReleases (from 16.0.0)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References