Microsoft disclosed CVE-2026-40366 on May 12, 2026, as a Critical Microsoft Word remote code execution vulnerability affecting supported Office, Word 2016, Microsoft 365 Apps for Enterprise, Office LTSC, Office 2019, and Office for Mac releases, with official fixes available through Microsoft’s update channels.
That sounds like another routine Patch Tuesday line item, until the scoring details sharpen the picture. This is not a macro scare, not a vague “open a bad file” advisory, and not a bug Microsoft is treating as speculative. The unsettling part is the combination: a confirmed use-after-free flaw, no privileges required, Preview Pane exposure, and code execution in a product whose entire purpose is to ingest documents from strangers.
That distinction matters because CVE-2026-40366 carries a CVSS attack vector of Local, even while Microsoft titles it as remote code execution. Microsoft’s explanation is familiar but important: the attacker is remote, while the exploitation path involves code being processed locally on the victim’s system. In practical terms, the exploit story is still about a malicious file crossing the boundary between attacker and user.
The more important detail is not the vocabulary but the degree of exposure. Microsoft says the Preview Pane is an attack vector for this vulnerability. For Outlook-heavy workplaces, that moves the risk away from the comforting fiction that users must explicitly open every dangerous document before trouble starts.
Preview-based attack surface has long been one of Office’s most uncomfortable design tradeoffs. Users want quick triage of attachments, administrators want fewer helpdesk complaints, and Microsoft wants productivity software to feel frictionless. Attackers, predictably, like any feature that turns passive inspection into active parsing.
The “no user interaction” field deserves special attention because it looks counterintuitive for a Word vulnerability. Many document-based exploits are scored with user interaction required because the victim must open a file, click something, or otherwise participate. Here, Microsoft’s scoring and FAQ language point to a different model: the vulnerable system can be exploited without a separate user action in the successful compromise path, and the Preview Pane is enough of an attack vector to change the operational risk.
That does not mean every mailbox is instantly compromised by the arrival of a malicious document. It means defenders should not build their response around user training alone. If the mitigation story is “don’t open suspicious attachments,” it is already weaker than the advisory.
The vulnerability is also tagged as CWE-416, a use-after-free weakness. That class of bug is a memory-management failure in which software continues to use memory after it has been released. In the right conditions, it can become a primitive for redirecting program behavior, corrupting data, or achieving code execution. Microsoft’s executive summary is short, but its scoring gives the bug more gravity than the prose does.
Report Confidence is one of the more underrated CVSS temporal metrics because it speaks to two audiences at once. Defenders read it as a signal that the vendor believes the bug is real and actionable. Attackers read it as evidence that there is something concrete to reverse, reproduce, or hunt for once patches are available.
Microsoft also lists exploit code maturity as Unproven and says the vulnerability was not publicly disclosed and not exploited at the time of publication. That is good news, but it is not the same as low risk. The grim rhythm of Patch Tuesday is that fixes give defenders a remedy and attackers a diff.
The practical window, then, is not “before anyone knows.” It is the period after a patch ships but before enough machines receive it. For high-value environments, that window can be short, noisy, and unforgiving. For unmanaged desktops, stale Office installations, and machines outside central patch control, it can stretch into months.
The affected product list spans a familiar but messy estate. Microsoft lists Microsoft Word 2016 in both 32-bit and 64-bit editions, Microsoft Office 2019, Office LTSC 2021, Office LTSC 2024, Microsoft 365 Apps for Enterprise, and Office LTSC for Mac 2021 and 2024. The Windows-side story includes both perpetual-license Office and subscription-serviced Microsoft 365 Apps, while the Mac story has its own fixed build numbers.
For Word 2016, Microsoft points to a specific update with build 16.0.5552.1000. For Office for Mac LTSC 2021 and 2024, Microsoft lists build 16.109.26051019. For Click-to-Run Office products, Microsoft’s security update references route administrators to the current Office security release stream rather than a single standalone installer.
That diversity is not a footnote. It is the work. In a real organization, different departments may have different Office vintages because of add-in compatibility, licensing history, virtual desktop images, lab machines, or line-of-business software that froze a build years ago. CVE-2026-40366 is the kind of vulnerability that punishes those quiet exceptions.
Microsoft’s advisory language does not describe all of those paths as vulnerable, and it would be irresponsible to invent a broader exploit surface than the vendor has confirmed. But the lesson remains: Office file handling is rarely limited to the double-click event users imagine. Documents are inspected, previewed, scanned, transformed, and sometimes rendered by processes users never see.
That is why disabling or constraining previews can be a rational short-term control when patch deployment is delayed. It is not a substitute for the update, and it should not be sold as equivalent protection. But in environments where change control slows Office patching, reducing automatic parsing of untrusted documents can buy time.
The uncomfortable truth is that the Preview Pane exists because users like it. Security teams often remove visible convenience and then spend the next quarter explaining why everyone’s workflow got worse. CVE-2026-40366 is another example of the tradeoff: the feature is not inherently reckless, but every parser exposed to untrusted content becomes part of the attack surface.
The exploitability label is a forecast, not a warranty. It reflects Microsoft’s assessment at original publication, based on known exploit availability, observed attacks, and technical factors. It does not freeze the adversary landscape in place.
Memory-corruption vulnerabilities in ubiquitous client software attract attention precisely because they sit at the intersection of scale and user trust. Word documents still carry social legitimacy in a way that executables do not. A malicious invoice, résumé, contract draft, grant application, compliance document, or procurement response is much more likely to reach the right inbox than an obvious binary payload.
The better interpretation is not panic, but urgency with context. This is not marked as exploited in the wild. It is not publicly disclosed before the patch. It does have an official fix. Those facts argue against emergency theater. The Critical rating, Preview Pane vector, and confirmed report confidence argue against complacency.
For enterprise administrators, the harder question is not whether a patch exists. It is whether every vulnerable Office copy is visible. Office installations often live on golden images, nonpersistent VDI pools, kiosks, shared lab machines, developer workstations, legacy application servers, and forgotten jump boxes. Word may be installed even where nobody thinks of the machine as a “document workstation.”
The presence of Office on servers is especially worth checking. Many organizations install Office components for report generation, document conversion, mail merge, or legacy automation, despite years of warnings about the fragility of server-side Office automation. Even if a machine is not a typical user endpoint, any process that ingests untrusted Word documents deserves scrutiny.
Patch validation should also include architecture. Word 2016 32-bit and 64-bit editions are both listed, and older environments sometimes standardize on 32-bit Office for add-in compatibility even on 64-bit Windows. Asset tools that only report “Office 2016 installed” without architecture and build detail are not good enough for this kind of response.
The Mac inclusion also undercuts a lazy assumption that Word vulnerabilities are purely Windows stories. The vulnerable product is Word and the Office codebase around it, not the Windows kernel or a Windows-only subsystem. If Mac users receive the same untrusted documents, they belong in the same risk conversation.
For administrators using Microsoft AutoUpdate or MDM-managed Office deployments, the operational task is to confirm that Office for Mac reaches the fixed build Microsoft lists for the affected LTSC releases. That is less glamorous than threat hunting, but it is where most risk reduction happens. A pristine Windows dashboard means little if the legal team’s Mac fleet is two update cycles behind.
Security teams should also be careful with user communications. Mac users who have been trained to treat Windows malware warnings as someone else’s problem may need a clearer message: this is an Office issue, and the document-handling surface exists on their machines too.
Modern Office benefits from sandboxing, Protected View, Attack Surface Reduction rules, file blocking, attachment filtering, and cloud detonation. Those layers matter. But vulnerabilities like CVE-2026-40366 show that the parser remains a high-value target because it must process attacker-supplied structure before the user understands what they are seeing.
The industry has spent years trying to push users away from enabling macros. That campaign has helped, but it also shifted attacker incentives. If macro execution becomes harder, exploit-based document attacks become more attractive again, especially when a bug can be triggered through preview or parsing paths that do not look like explicit execution to the victim.
The strategic lesson is that “disable macros” was never the whole Office security story. It was one necessary move in a broader contest over untrusted content. CVE-2026-40366 sits squarely in that broader contest.
That framing changes prioritization. We do not usually delay patches for internet-facing VPN appliances, mail servers, or web apps on the grounds that exploitation is not yet observed. We patch because exposure plus impact plus exploitability can turn quickly. Word deserves a similar mental model when Preview Pane parsing is in play.
This does not mean every Office CVE should become a midnight maintenance event. Patch management has to be sustainable, or it collapses into noise. But Critical Office RCEs with no privileges required and confirmed vendor confidence should sit closer to the front of the queue than many routine client-side bugs.
Organizations with mature controls can add nuance. If Office updates are already on an aggressive cadence, external attachments are detonated before delivery, risky file types are blocked, Protected View is enforced, and users lack local admin rights, the residual risk may be manageable during normal rollout. If any of those assumptions are false, the case for acceleration gets stronger.
Those fields tell a coherent story. The vulnerability is confirmed. It is a use-after-free in Microsoft Office Word. It can lead to local code execution by an unauthorized attacker. It has Critical severity, high impact across confidentiality, integrity, and availability, and Preview Pane exposure. Microsoft does not report public disclosure or active exploitation at release.
That combination calls for disciplined urgency. The right response is to patch, verify, and reduce preview exposure where patching cannot happen quickly. The wrong response is to argue semantics over whether “remote” is the perfect word.
Security advisories often become bureaucratic artifacts: tickets, SLA clocks, dashboard colors, exception forms. CVE-2026-40366 deserves better than that because it touches the mundane daily workflow of opening documents. The attack surface is not exotic. It is the inbox.
For Microsoft 365 Apps, administrators should confirm the servicing channel and update status rather than assume Click-to-Run has already done its job. Deferred channels, bandwidth controls, update deadlines, and user session behavior can all delay real-world installation. “Available” is not the same as “installed.”
For Office 2016, Office 2019, and LTSC builds, the job is more concrete: match installed builds against Microsoft’s fixed releases and deploy the relevant updates. In environments that still carry Office 2016, the age of the estate should trigger a second conversation. Supported does not mean modern, and supported-but-old client software is where exceptions tend to accumulate.
For Mac, the response should run through the same compliance loop as Windows. Confirm versions, enforce updates, and do not rely on informal user prompts. If Office for Mac is managed separately from Windows endpoints, CVE-2026-40366 is a good excuse to test whether that separation is creating blind spots.
Source: MSRC Security Update Guide - Microsoft Security Response Center
That sounds like another routine Patch Tuesday line item, until the scoring details sharpen the picture. This is not a macro scare, not a vague “open a bad file” advisory, and not a bug Microsoft is treating as speculative. The unsettling part is the combination: a confirmed use-after-free flaw, no privileges required, Preview Pane exposure, and code execution in a product whose entire purpose is to ingest documents from strangers.
Microsoft’s Word Bug Is “Remote” in the Way Office Attacks Usually Are
The phrase remote code execution has always done awkward work in Office advisories. In server products, “remote” often means an attacker can send traffic across the network and reach vulnerable code without the victim doing much of anything. In Word, the geography is different: the attacker may be remote, but the vulnerable code usually runs when the target machine parses a crafted document.That distinction matters because CVE-2026-40366 carries a CVSS attack vector of Local, even while Microsoft titles it as remote code execution. Microsoft’s explanation is familiar but important: the attacker is remote, while the exploitation path involves code being processed locally on the victim’s system. In practical terms, the exploit story is still about a malicious file crossing the boundary between attacker and user.
The more important detail is not the vocabulary but the degree of exposure. Microsoft says the Preview Pane is an attack vector for this vulnerability. For Outlook-heavy workplaces, that moves the risk away from the comforting fiction that users must explicitly open every dangerous document before trouble starts.
Preview-based attack surface has long been one of Office’s most uncomfortable design tradeoffs. Users want quick triage of attachments, administrators want fewer helpdesk complaints, and Microsoft wants productivity software to feel frictionless. Attackers, predictably, like any feature that turns passive inspection into active parsing.
The Score Says “Critical,” but the Vector Tells the Real Story
CVE-2026-40366 has a CVSS 3.1 base score of 8.4 and a temporal score of 7.3. The base vector is unusually revealing: local attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, and high impact to confidentiality, integrity, and availability. That is a compact way of saying that once the vulnerable parser is reached, Microsoft does not see many meaningful barriers left.The “no user interaction” field deserves special attention because it looks counterintuitive for a Word vulnerability. Many document-based exploits are scored with user interaction required because the victim must open a file, click something, or otherwise participate. Here, Microsoft’s scoring and FAQ language point to a different model: the vulnerable system can be exploited without a separate user action in the successful compromise path, and the Preview Pane is enough of an attack vector to change the operational risk.
That does not mean every mailbox is instantly compromised by the arrival of a malicious document. It means defenders should not build their response around user training alone. If the mitigation story is “don’t open suspicious attachments,” it is already weaker than the advisory.
The vulnerability is also tagged as CWE-416, a use-after-free weakness. That class of bug is a memory-management failure in which software continues to use memory after it has been released. In the right conditions, it can become a primitive for redirecting program behavior, corrupting data, or achieving code execution. Microsoft’s executive summary is short, but its scoring gives the bug more gravity than the prose does.
Confirmed Does Not Mean Exploited, and That Distinction Matters
The user-provided MSRC text focuses on Report Confidence, and in this case the metric is set to Confirmed. That is not a decorative field. It is Microsoft saying the vulnerability is not merely rumored, partially inferred, or described by a third party without sufficient validation.Report Confidence is one of the more underrated CVSS temporal metrics because it speaks to two audiences at once. Defenders read it as a signal that the vendor believes the bug is real and actionable. Attackers read it as evidence that there is something concrete to reverse, reproduce, or hunt for once patches are available.
Microsoft also lists exploit code maturity as Unproven and says the vulnerability was not publicly disclosed and not exploited at the time of publication. That is good news, but it is not the same as low risk. The grim rhythm of Patch Tuesday is that fixes give defenders a remedy and attackers a diff.
The practical window, then, is not “before anyone knows.” It is the period after a patch ships but before enough machines receive it. For high-value environments, that window can be short, noisy, and unforgiving. For unmanaged desktops, stale Office installations, and machines outside central patch control, it can stretch into months.
Office Remains the Soft Underbelly of “Fully Patched” Windows
Windows administrators often think in terms of operating system build numbers, cumulative updates, and endpoint detection status. CVE-2026-40366 is a reminder that Office patching is its own discipline, with its own channels, editions, architectures, and servicing quirks. A machine can be current on Windows and still lag behind on the software that processes the documents users actually receive.The affected product list spans a familiar but messy estate. Microsoft lists Microsoft Word 2016 in both 32-bit and 64-bit editions, Microsoft Office 2019, Office LTSC 2021, Office LTSC 2024, Microsoft 365 Apps for Enterprise, and Office LTSC for Mac 2021 and 2024. The Windows-side story includes both perpetual-license Office and subscription-serviced Microsoft 365 Apps, while the Mac story has its own fixed build numbers.
For Word 2016, Microsoft points to a specific update with build 16.0.5552.1000. For Office for Mac LTSC 2021 and 2024, Microsoft lists build 16.109.26051019. For Click-to-Run Office products, Microsoft’s security update references route administrators to the current Office security release stream rather than a single standalone installer.
That diversity is not a footnote. It is the work. In a real organization, different departments may have different Office vintages because of add-in compatibility, licensing history, virtual desktop images, lab machines, or line-of-business software that froze a build years ago. CVE-2026-40366 is the kind of vulnerability that punishes those quiet exceptions.
The Preview Pane Turns Convenience Into Attack Surface
The Preview Pane detail is the sharpest operational warning in the advisory. It means defenders should think beyond document opening behavior and consider all the places where Word’s rendering or parsing components may be invoked. Outlook previews are the obvious example, but enterprise environments often have document indexing, DLP inspection, collaboration previews, and third-party workflows that touch Office files.Microsoft’s advisory language does not describe all of those paths as vulnerable, and it would be irresponsible to invent a broader exploit surface than the vendor has confirmed. But the lesson remains: Office file handling is rarely limited to the double-click event users imagine. Documents are inspected, previewed, scanned, transformed, and sometimes rendered by processes users never see.
That is why disabling or constraining previews can be a rational short-term control when patch deployment is delayed. It is not a substitute for the update, and it should not be sold as equivalent protection. But in environments where change control slows Office patching, reducing automatic parsing of untrusted documents can buy time.
The uncomfortable truth is that the Preview Pane exists because users like it. Security teams often remove visible convenience and then spend the next quarter explaining why everyone’s workflow got worse. CVE-2026-40366 is another example of the tradeoff: the feature is not inherently reckless, but every parser exposed to untrusted content becomes part of the attack surface.
“Exploitation Less Likely” Is Not a Permission Slip
Microsoft’s exploitability assessment says exploitation is less likely. That phrase will inevitably be read by some patch managers as a reason to push the fix into the normal queue. That may be defensible for tightly managed fleets with rapid Office servicing, strong attachment controls, and low exposure to unsolicited documents. It is much harder to justify for legal, finance, HR, recruiting, government, education, and managed service environments where Word files arrive constantly from outside the organization.The exploitability label is a forecast, not a warranty. It reflects Microsoft’s assessment at original publication, based on known exploit availability, observed attacks, and technical factors. It does not freeze the adversary landscape in place.
Memory-corruption vulnerabilities in ubiquitous client software attract attention precisely because they sit at the intersection of scale and user trust. Word documents still carry social legitimacy in a way that executables do not. A malicious invoice, résumé, contract draft, grant application, compliance document, or procurement response is much more likely to reach the right inbox than an obvious binary payload.
The better interpretation is not panic, but urgency with context. This is not marked as exploited in the wild. It is not publicly disclosed before the patch. It does have an official fix. Those facts argue against emergency theater. The Critical rating, Preview Pane vector, and confirmed report confidence argue against complacency.
The Patch Is the Real Mitigation, but Inventory Is the Real Problem
For home users and small offices, the advice is relatively straightforward: update Office and make sure the update actually completed. Microsoft 365 Apps typically update through Click-to-Run, while Word 2016 and other perpetual editions may depend on Microsoft Update, standalone packages, enterprise deployment tooling, or managed update systems. The right answer depends on how Office was installed.For enterprise administrators, the harder question is not whether a patch exists. It is whether every vulnerable Office copy is visible. Office installations often live on golden images, nonpersistent VDI pools, kiosks, shared lab machines, developer workstations, legacy application servers, and forgotten jump boxes. Word may be installed even where nobody thinks of the machine as a “document workstation.”
The presence of Office on servers is especially worth checking. Many organizations install Office components for report generation, document conversion, mail merge, or legacy automation, despite years of warnings about the fragility of server-side Office automation. Even if a machine is not a typical user endpoint, any process that ingests untrusted Word documents deserves scrutiny.
Patch validation should also include architecture. Word 2016 32-bit and 64-bit editions are both listed, and older environments sometimes standardize on 32-bit Office for add-in compatibility even on 64-bit Windows. Asset tools that only report “Office 2016 installed” without architecture and build detail are not good enough for this kind of response.
Mac Fleets Are Not Spectators This Time
Microsoft’s affected list includes Office LTSC for Mac 2021 and 2024. That matters because Mac endpoints are often treated as parallel but lower-volume management problems in Windows-first organizations. In mixed environments, the Windows patch process may be mature while Office for Mac updates depend on user behavior, MDM compliance drift, or separate packaging workflows.The Mac inclusion also undercuts a lazy assumption that Word vulnerabilities are purely Windows stories. The vulnerable product is Word and the Office codebase around it, not the Windows kernel or a Windows-only subsystem. If Mac users receive the same untrusted documents, they belong in the same risk conversation.
For administrators using Microsoft AutoUpdate or MDM-managed Office deployments, the operational task is to confirm that Office for Mac reaches the fixed build Microsoft lists for the affected LTSC releases. That is less glamorous than threat hunting, but it is where most risk reduction happens. A pristine Windows dashboard means little if the legal team’s Mac fleet is two update cycles behind.
Security teams should also be careful with user communications. Mac users who have been trained to treat Windows malware warnings as someone else’s problem may need a clearer message: this is an Office issue, and the document-handling surface exists on their machines too.
The Use-After-Free Pattern Keeps Haunting Document Parsers
Use-after-free bugs are not new, and that is precisely the problem. They are the residue of complex native code that has spent decades growing features, compatibility shims, file format support, and performance optimizations. Word is not merely a text editor; it is a document operating environment with parsers for formats, embedded content, compatibility modes, layout engines, and integrations that reach far beyond plain text.Modern Office benefits from sandboxing, Protected View, Attack Surface Reduction rules, file blocking, attachment filtering, and cloud detonation. Those layers matter. But vulnerabilities like CVE-2026-40366 show that the parser remains a high-value target because it must process attacker-supplied structure before the user understands what they are seeing.
The industry has spent years trying to push users away from enabling macros. That campaign has helped, but it also shifted attacker incentives. If macro execution becomes harder, exploit-based document attacks become more attractive again, especially when a bug can be triggered through preview or parsing paths that do not look like explicit execution to the victim.
The strategic lesson is that “disable macros” was never the whole Office security story. It was one necessary move in a broader contest over untrusted content. CVE-2026-40366 sits squarely in that broader contest.
Defenders Should Treat Word as an Internet-Facing Parser
It may sound strange to describe Word as internet-facing, but in practical security terms it often is. A mail gateway accepts content from the internet, passes it to a user mailbox, and the endpoint renders or previews it. The network connection may end at Exchange, Microsoft 365, or a security appliance, but the parsing risk lands on the client.That framing changes prioritization. We do not usually delay patches for internet-facing VPN appliances, mail servers, or web apps on the grounds that exploitation is not yet observed. We patch because exposure plus impact plus exploitability can turn quickly. Word deserves a similar mental model when Preview Pane parsing is in play.
This does not mean every Office CVE should become a midnight maintenance event. Patch management has to be sustainable, or it collapses into noise. But Critical Office RCEs with no privileges required and confirmed vendor confidence should sit closer to the front of the queue than many routine client-side bugs.
Organizations with mature controls can add nuance. If Office updates are already on an aggressive cadence, external attachments are detonated before delivery, risky file types are blocked, Protected View is enforced, and users lack local admin rights, the residual risk may be manageable during normal rollout. If any of those assumptions are false, the case for acceleration gets stronger.
Microsoft’s Sparse Advisory Leaves Room for Defender Judgment
The advisory does not publish exploit details, proof-of-concept code, or a deep root-cause analysis. That is normal for MSRC, and it is usually the right tradeoff before patches are broadly deployed. But it leaves defenders reading between the structured fields: CVSS vector, exploitability assessment, affected products, FAQ text, and update availability.Those fields tell a coherent story. The vulnerability is confirmed. It is a use-after-free in Microsoft Office Word. It can lead to local code execution by an unauthorized attacker. It has Critical severity, high impact across confidentiality, integrity, and availability, and Preview Pane exposure. Microsoft does not report public disclosure or active exploitation at release.
That combination calls for disciplined urgency. The right response is to patch, verify, and reduce preview exposure where patching cannot happen quickly. The wrong response is to argue semantics over whether “remote” is the perfect word.
Security advisories often become bureaucratic artifacts: tickets, SLA clocks, dashboard colors, exception forms. CVE-2026-40366 deserves better than that because it touches the mundane daily workflow of opening documents. The attack surface is not exotic. It is the inbox.
Where Windows Admins Should Spend the Next Day
The next 24 hours should not be spent doomscrolling for proof-of-concept chatter. They should be spent answering boring but decisive questions. Which Office channels are in use? Which devices have Word installed? Which machines cannot update automatically? Which users rely on Preview Pane for high-volume external mail?For Microsoft 365 Apps, administrators should confirm the servicing channel and update status rather than assume Click-to-Run has already done its job. Deferred channels, bandwidth controls, update deadlines, and user session behavior can all delay real-world installation. “Available” is not the same as “installed.”
For Office 2016, Office 2019, and LTSC builds, the job is more concrete: match installed builds against Microsoft’s fixed releases and deploy the relevant updates. In environments that still carry Office 2016, the age of the estate should trigger a second conversation. Supported does not mean modern, and supported-but-old client software is where exceptions tend to accumulate.
For Mac, the response should run through the same compliance loop as Windows. Confirm versions, enforce updates, and do not rely on informal user prompts. If Office for Mac is managed separately from Windows endpoints, CVE-2026-40366 is a good excuse to test whether that separation is creating blind spots.
The CVE’s Takeaway Is Written in the Preview Pane
CVE-2026-40366 is not the biggest Microsoft vulnerability by score, nor is it the scariest kind of wormable server flaw. Its significance is more ordinary and therefore more useful: it shows how a familiar productivity feature can turn document handling into a high-consequence security boundary.- Microsoft released fixes for CVE-2026-40366 on May 12, 2026, and marks customer action as required for affected Office and Word products.
- The vulnerability is a confirmed use-after-free flaw in Microsoft Office Word that can allow local code execution by an unauthorized attacker.
- Microsoft says the Preview Pane is an attack vector, which means defenders should not rely on “do not open attachments” messaging as their primary control.
- The CVSS vector lists low attack complexity, no privileges required, no user interaction, and high confidentiality, integrity, and availability impact.
- Microsoft reports no public disclosure and no exploitation at publication, while assessing exploitation as less likely.
- The affected estate includes Word 2016, Office 2019, Office LTSC 2021 and 2024, Microsoft 365 Apps for Enterprise, and Office LTSC for Mac releases.
Source: MSRC Security Update Guide - Microsoft Security Response Center
