A high-severity Use-After-Free vulnerability has been identified in multiple Microsoft Office products, tracked as CVE-2026-20952. This flaw can be exploited if a user opens a specially crafted malicious Office document, allowing an attacker to execute arbitrary code on the victim's system. Successful exploitation could lead to a complete compromise of the affected workstation, posing a significant risk of data theft, malware installation, and further network intrusion.

This is a Use-After-Free (UAF) vulnerability within a component of Microsoft Office that processes document files. An attacker can exploit this by creating a malicious Office document (e.g., Word, Excel) that, when opened by a user, causes the application to incorrectly manage memory. Specifically, the software attempts to use a memory location after it has been deallocated (freed), leading to memory corruption. A skilled attacker can control the contents of this reallocated memory to hijack the application's execution flow and run arbitrary code with the same privileges as the logged-in user.

This vulnerability is rated as High severity with a CVSS score of 8.4. Successful exploitation would grant an attacker local code execution capabilities on an employee's workstation. This could lead to severe consequences, including the theft of sensitive corporate data, deployment of ransomware, installation of persistent backdoors for long-term access, and the ability for the attacker to move laterally across the corporate network. Given the ubiquitous nature of Microsoft Office, a widespread phishing campaign leveraging this vulnerability could have a significant operational and financial impact on the organization.

Immediate Action: All system administrators should prioritize the deployment of the security updates released by Microsoft for all affected products. The primary remediation is to apply the vendor-supplied patches immediately to prevent exploitation.

Proactive Monitoring: Security teams should actively monitor for signs of exploitation. This includes looking for Endpoint Detection and Response (EDR) alerts related to memory protection violations in Office applications, suspicious child processes spawned by Office products (e.g., winword.exe launching powershell.exe or cmd.exe), and unexpected network traffic originating from Office applications to unknown destinations. Reviewing logs for failed or unusual file access attempts by Office processes is also recommended.

Compensating Controls: If immediate patching is not feasible, the following controls can help mitigate risk:

• Ensure Microsoft Office Protected View is enabled for all documents originating from the internet or other untrusted sources.
• Implement Attack Surface Reduction (ASR) rules to block Office applications from creating child processes or writing executable content.
• Reinforce user awareness training, specifically advising caution when opening unsolicited email attachments or documents from unverified sources.

Public Exploit Available: false

Given the high severity (CVSS 8.4) and the potential for complete system compromise via a common attack vector (malicious documents), this vulnerability poses a critical risk to the organization. We strongly recommend that the vendor-provided security updates are applied to all affected systems as a top priority. Although there is no evidence of active exploitation at this time, the window of opportunity for attackers is often short. Organizations should treat this as a critical patch and implement compensating controls, such as user awareness and EDR monitoring, to provide layered defense until patching is complete.