CVE-2026-41101 Overview
CVE-2026-41101 is an improper access control vulnerability in Microsoft Office Word that allows an authorized attacker to perform spoofing locally. The flaw is tracked under CWE-284: Improper Access Control and affects the Android distribution of Microsoft Word according to the affected CPE configuration. Exploitation requires local access and low-privileged authentication, but no user interaction is needed. A successful attack can produce high impact on integrity by enabling spoofed content or identity within the Word application context.
Critical Impact
A locally authorized attacker can spoof content within Microsoft Word, undermining trust in document integrity without requiring user interaction.
Affected Products
- Microsoft Word (Android)
- Vendor: Microsoft
- Component: microsoft:word
Discovery Timeline
- 2026-05-12 - CVE-2026-41101 published to NVD
- 2026-05-16 - Last updated in NVD database
Technical Details for CVE-2026-41101
Vulnerability Analysis
The vulnerability arises from improper access control within Microsoft Word, classified under CWE-284. Microsoft's advisory describes it as a spoofing issue exploitable by an authorized local attacker. The impact is limited to integrity, meaning an attacker can alter how content, identities, or document attributes are presented to users without affecting confidentiality or availability. Because the attack vector is local and requires low privileges, exploitation depends on the attacker already having some level of access to the device running Word.
Root Cause
The root cause is an access control weakness in Microsoft Word that fails to adequately restrict actions an authorized user can perform. This gap allows the attacker to manipulate Word in a way that produces spoofed output. Microsoft has not published detailed technical analysis of the affected code path. Refer to the Microsoft CVE-2026-41101 Update Guide for vendor-supplied details.
Attack Vector
The attack requires local access to a device running an affected build of Microsoft Word on Android. The attacker must hold valid, low-privilege credentials but does not need to trick a user into clicking or opening content. Once executed, the spoofing primitive can be used to misrepresent document content or sender attribution. No public proof-of-concept or exploit code is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
No verified exploitation code is available for this vulnerability. See the Microsoft CVE-2026-41101 Update Guide for vendor guidance.
Detection Methods for CVE-2026-41101
Indicators of Compromise
- No public indicators of compromise have been published for CVE-2026-41101 at this time.
- Anomalous local invocation of Microsoft Word by low-privileged accounts on Android devices warrants review.
- Unexpected Word document content modifications or mismatched author metadata may indicate spoofing activity.
Detection Strategies
- Monitor mobile device management (MDM) telemetry for outdated Microsoft Word installations on Android endpoints.
- Review Word application logs and document audit trails for signs of unauthorized content alteration.
- Correlate local privilege use against Office applications with identity and access logs to flag suspicious behavior.
Monitoring Recommendations
- Track Microsoft Word version inventory across managed Android devices and flag versions predating the vendor patch.
- Apply MDM-based application control to alert when unauthorized or sideloaded Word builds appear.
- Review user reports of suspicious or spoofed documents and tie them to device-level telemetry.
How to Mitigate CVE-2026-41101
Immediate Actions Required
- Apply the Microsoft Word update referenced in the Microsoft CVE-2026-41101 Update Guide as soon as it is available for managed devices.
- Inventory all Android devices running Microsoft Word and verify they are receiving updates through Google Play or enterprise MDM channels.
- Restrict local access on shared or kiosk devices where multiple low-privileged users can launch Word.
Patch Information
Microsoft has published guidance for CVE-2026-41101 in the Microsoft Security Response Center advisory. Administrators should consult the advisory for the specific fixed build of Microsoft Word for Android and deploy it through their standard mobile update process.
Workarounds
- Limit installation of Microsoft Word on Android devices to users with a documented business need.
- Enforce least-privilege access on shared Android devices to reduce the pool of accounts that could exploit the flaw locally.
- Educate users to validate document source and author attribution before acting on Word content received on mobile devices.
# Example: query installed Word version on an Android device via adb
adb shell dumpsys package com.microsoft.office.word | grep versionName
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
