Microsoft Office Word Information Disclosure Vulnerability

A vulnerability in Microsoft Office Word allows unauthorized attackers to disclose information over a network. This issue arises from external control of file names or paths, potentially leading to the unauthorized disclosure of NTLM hashes.

Impact

Exploitation of this vulnerability could result in the unauthorized disclosure of sensitive information, specifically NTLM hash values.

Remediation

Users can download the security update for this vulnerability through the Microsoft Update Catalog. For Microsoft Word 2016 (both 32-bit and 64-bit editions), the security update is available as part of the May 2026 security updates. Instructions for downloading the update are provided in the Microsoft Word 2016 Security Update Knowledge Base Article 5002858. For Microsoft Office LTSC 2024, instructions are available in the Office LTSC 2024 Security Update Knowledge Base Article. Similar guidance can be found for Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, and Microsoft Word 2016.