CVE-2026-33822: Microsoft 365 Apps Disclosure Vulnerability

CVE-2026-33822 Overview

CVE-2026-33822 is an out-of-bounds read vulnerability [CWE-125] in Microsoft Office Word. The flaw allows an unauthorized attacker to disclose information locally when a victim opens a crafted document. Exploitation requires user interaction but no prior authentication. The vulnerability affects Microsoft 365 Apps on Windows and Microsoft Office Long Term Servicing Channel 2021 and 2024 for macOS. Microsoft published the advisory through the Microsoft Security Response Center (MSRC) update guide.

Critical Impact

Successful exploitation discloses memory contents from the Word process, which can include sensitive document data, pointers useful for bypassing Address Space Layout Randomization (ASLR), or other in-memory artifacts.

Affected Products

• Microsoft 365 Apps (Enterprise, x64 and x86)
• Microsoft Office Long Term Servicing Channel 2021 for macOS
• Microsoft Office Long Term Servicing Channel 2024 for macOS

Discovery Timeline

• 2026-04-14 - CVE-2026-33822 published to the National Vulnerability Database (NVD)
• 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2026-33822

Vulnerability Analysis

The vulnerability is classified as an out-of-bounds read [CWE-125] within Microsoft Office Word file parsing logic. When Word processes a malformed document, it reads past the bounds of an allocated buffer. The resulting memory contents can be returned to attacker-controlled structures within the document and exfiltrated. The Exploit Prediction Scoring System (EPSS) currently rates the probability of exploitation at 0.05%, reflecting low observed activity at this time.

Root Cause

The root cause is insufficient bounds checking when Word parses a specific structure inside a Word document. The parser trusts a length or offset field from the document without validating it against the size of the underlying buffer. When the field references memory beyond the buffer, the read operation succeeds and returns adjacent process memory.

Attack Vector

The attack vector is local and requires user interaction. An attacker delivers a crafted Word document through email, a shared drive, or a download. The victim must open the document in an affected version of Word. No elevated privileges are required, and the attacker does not need an account on the target system. The integrity impact is none, but confidentiality and availability are affected, with the Word process able to crash after the read.

No public proof-of-concept code or exploit is currently available for CVE-2026-33822. See the Microsoft CVE-2026-33822 Update Guide for vendor technical detail.

Detection Methods for CVE-2026-33822

Indicators of Compromise

• Word documents (.docx, .doc, .rtf) arriving from untrusted senders that trigger unexpected WINWORD.EXE crashes or hangs.
• Word processes generating Windows Error Reporting (WER) entries or macOS crash reports referencing access violations during document parse.
• Outbound network connections from WINWORD.EXE shortly after a document is opened, indicating possible data exfiltration of leaked memory.

Detection Strategies

• Inspect inbound email attachments for Word documents with malformed structures using a sandbox that monitors for out-of-bounds memory access.
• Hunt for parent-child process anomalies where WINWORD.EXE spawns scripting hosts such as powershell.exe, cmd.exe, or wscript.exe.
• Correlate Office telemetry from Microsoft Defender for Endpoint or equivalent EDR with file-open events for documents originating from the internet (Mark-of-the-Web present).

Monitoring Recommendations

• Enable Office cloud-based protection and attack surface reduction (ASR) rules that block Office applications from creating child processes.
• Monitor for Word process crashes followed by repeated user re-opens of the same document, a common pattern when an attacker tunes an exploit.
• Ingest endpoint, email gateway, and Office 365 audit logs into a centralized data lake to enable cross-source correlation against this CVE.

How to Mitigate CVE-2026-33822

Immediate Actions Required

• Apply the Microsoft security update referenced in the Microsoft CVE-2026-33822 Update Guide as soon as it is available for your channel.
• Confirm that Microsoft 365 Apps clients are receiving updates from the Current Channel or Monthly Enterprise Channel and are not pinned to a deferred build.
• For macOS, update Office LTSC 2021 and 2024 through Microsoft AutoUpdate (msupdate --install).

Patch Information

Microsoft has issued guidance through MSRC. Administrators should consult the Microsoft CVE-2026-33822 Update Guide for the specific build numbers that remediate the issue across Microsoft 365 Apps and Office LTSC 2021/2024 for macOS. Verify deployment with Get-OfficeVersion or the Office update history page after installation.

Workarounds

• Open untrusted Word documents in Protected View, which sandboxes the parser and limits the impact of a successful out-of-bounds read.
• Use the Office File Block policy to prevent Word from opening legacy binary formats (.doc, .rtf) from untrusted locations until the patch is applied.
• Enforce Mark-of-the-Web preservation so that documents downloaded from the internet open in Protected View by default.

# Configuration example: enforce Protected View via Group Policy registry keys on Windows
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView" /v DisableInternetFilesInPV /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView" /v DisableAttachmentsInPV /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView" /v DisableUnsafeLocationsInPV /t REG_DWORD /d 0 /f