Microsoft Word Use-After-Free Vulnerability Leading to Remote Code Execution

A use-after-free vulnerability has been identified in Microsoft Office Word. This issue allows an unauthorized attacker to execute code locally. The vulnerability is present in several versions of Microsoft Word, including Word 2016 (both 32-bit and 64-bit editions), Word LTSC for Mac 2021 and 2024, Word LTSC 2021 and 2024 for 32-bit and 64-bit editions, and Word 365 Apps for Enterprise for both 32-bit and 64-bit systems. The vulnerability arises from improper memory management, which can be exploited to execute arbitrary code.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected system.

Remediation

Users can download the security update for this vulnerability through the Microsoft Update Catalog. For Microsoft Word 2016, the security update is available as part of the May 2026 security updates. Instructions for downloading the update can be found in the Microsoft Word 2016 Security Update Knowledge Base Article 5002858. For other affected versions, similar security update guidance is available through the Microsoft Office LTSC Release Notes or the Microsoft 365 Apps for Enterprise Security Update documentation.