A high-severity vulnerability has been discovered in Microsoft Word that could allow an attacker to take control of a user's computer. Successful exploitation requires an attacker to trick a user into opening a specially crafted malicious Word document, which could lead to a full system compromise and data theft.

This vulnerability is an out-of-bounds read condition within Microsoft Office Word. An attacker can exploit this by creating a specially crafted Word document that, when opened by a victim, causes the application to read data from a memory location outside of its intended boundary. This can lead to information disclosure or, more critically, can be leveraged to corrupt memory in a way that allows for arbitrary code execution in the context of the logged-in user. The attack vector is local, requiring user interaction such as opening a malicious file received via email or downloaded from the web.

This vulnerability is rated as High severity with a CVSS score of 8.4. If exploited, an attacker could gain the same level of access as the user running the application, leading to a complete compromise of the affected workstation. Potential consequences include the installation of malware such as ransomware or spyware, theft of sensitive corporate data, unauthorized access to network resources, and the ability for an attacker to establish a persistent foothold for further lateral movement within the organization's network.

Immediate Action: The primary remediation is to apply the security updates released by Microsoft across all affected systems immediately. Prioritize patching for all workstations and servers with Microsoft Office installed. Utilize automated patch management systems to ensure rapid and comprehensive deployment and verify that the patches have been successfully installed.

Proactive Monitoring: Security teams should actively monitor for signs of exploitation. This includes monitoring endpoint detection and response (EDR) logs for suspicious child processes spawning from winword.exe (e.g., powershell.exe, cmd.exe). Network monitoring should be used to detect unusual outbound traffic from workstations to unknown IP addresses following the opening of Word documents.

Compensating Controls: If immediate patching is not feasible, implement compensating controls to reduce risk. This includes enabling Microsoft Defender Attack Surface Reduction (ASR) rules to block Office applications from creating executable content or launching child processes. Ensure email security gateways are configured to scan for and block malicious attachments, and provide users with updated security awareness training on identifying and reporting phishing attempts.

Public Exploit Available: false

Given the high CVSS score of 8.4 and the potential for complete system compromise, this vulnerability should be treated as a high priority. Although CVE-2026-20944 is not currently listed on the CISA KEV (Known Exploited Vulnerabilities) catalog, its severity and the widespread use of the affected software make it a prime candidate for future inclusion. We strongly recommend that organizations apply the vendor-supplied patches immediately to mitigate the risk of exploitation and prevent potential data breaches or system compromise.