Use After Free Vulnerability in Microsoft Office Word
CVE-2026-33095

7.8HIGH

Key Information:

Vendor: Microsoft
Status: Microsoft 365 Apps For Enterprise; Microsoft Office Ltsc 2021; Microsoft Office Ltsc 2024; Microsoft Office Ltsc For Mac 2021
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-33095?

CVE-2026-33095 is a vulnerability identified in Microsoft Office Word, a widely used word processing application that forms part of the Microsoft Office suite. This particular flaw is categorized as a "use after free" vulnerability, which occurs when a program continues to use a pointer after the memory it points to has been freed or allocated elsewhere. By exploiting this vulnerability, an unauthorized attacker could potentially execute arbitrary code on a system where Microsoft Office Word is installed, leading to unauthorized control over the affected environment. The implications of this vulnerability are particularly concerning for organizations, as successful exploitation could compromise sensitive data, disrupt workflows, and enable further attacks on network infrastructure.

Potential impact of CVE-2026-33095

Unauthorized Code Execution: The most critical impact of CVE-2026-33095 is the potential for attackers to execute arbitrary code on affected systems. This could allow them to gain unauthorized access to sensitive documents, credentials, or other confidential information stored within Microsoft Office Word or related applications.
Data Loss and Corruption: The exploitation of this vulnerability could lead not only to unauthorized access but also to data manipulation or corruption. Attackers could alter or delete essential documents, leading to significant data loss for organizations that rely on Microsoft Office Word for their operations.
Increased Attack Surface: This vulnerability may expose organizations to additional security risks, particularly if attackers leverage it as an entry point for wider network exploitation. Compromised systems could be used as a foundation for launching subsequent attacks, targeting other systems or networks within the organization, thus amplifying the risk of a larger security breach.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

This is an advertDeploy the Patch

Affected Version(s)

Microsoft 365 Apps for Enterprise 32-bit Systems 16.0.1

Microsoft Office LTSC 2021 32-bit Systems 16.0.1

Microsoft Office LTSC 2024 32-bit Systems 16.0.0

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...

vendor-advisorypatch

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-33095 Data

JSON

Microsoft

What is CVE-2026-33095?

Potential impact of CVE-2026-33095

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.