CVE-2026-33822: Microsoft Word Information Disclosure Vulnerability

Overview

Severity

Medium (CVSS 6.1)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2026-Apr

Released

2026-04-14

Description

Out-of-bounds read in Microsoft Office Word allows an unauthorized attacker to disclose information locally.

FAQ

What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the local memory address. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector.

Affected Products (4)

Microsoft Office

• Microsoft 365 Apps for Enterprise for 32-bit Systems
• Microsoft 365 Apps for Enterprise for 64-bit Systems
• Microsoft Office LTSC for Mac 2021
• Microsoft Office LTSC for Mac 2024

Security Updates (1)

• Release Notes

Acknowledgments

wh1tc@Kunlun lab& devoke & Zhiniang Peng with HUST

Revision History

• 2026-04-14: Information published.