CVE-2026-20952
📋 TL;DR
This CVE describes a use-after-free vulnerability in Microsoft Office that allows an unauthorized attacker to execute arbitrary code on a victim's system. Attackers can exploit this by tricking users into opening malicious Office documents. All users running vulnerable versions of Microsoft Office are affected.
💻 Affected Systems
- Microsoft Office
- Microsoft 365 Apps
📦 What is this software?
365 Apps by Microsoft
365 Apps by Microsoft
Office by Microsoft
Office by Microsoft
Office by Microsoft
Office by Microsoft
Office Long Term Servicing Channel by Microsoft
View all CVEs affecting Office Long Term Servicing Channel →
Office Long Term Servicing Channel by Microsoft
View all CVEs affecting Office Long Term Servicing Channel →
Office Long Term Servicing Channel by Microsoft
View all CVEs affecting Office Long Term Servicing Channel →
Office Long Term Servicing Channel by Microsoft
View all CVEs affecting Office Long Term Servicing Channel →
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the victim's computer, enabling data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Local privilege escalation leading to unauthorized access to sensitive files, credential theft, and lateral movement within the network.
If Mitigated
Limited impact with proper application sandboxing and exploit mitigations, potentially resulting in application crash rather than code execution.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious document). No public exploit code available at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Security Update Guide for specific patch versions
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20952
Restart Required: Yes
Instructions:
1. Open any Office application. 2. Go to File > Account > Update Options > Update Now. 3. Restart computer after update completes. For enterprise: Deploy through Microsoft Update or WSUS.
🔧 Temporary Workarounds
Disable Office document preview
windowsPrevents automatic parsing of malicious documents in Windows Explorer preview pane
reg add "HKCU\Software\Microsoft\Office\16.0\Common\General" /v "DisablePreview" /t REG_DWORD /d 1 /f
Use Office Protected View
windowsForce all documents from internet to open in Protected View
🧯 If You Can't Patch
- Implement application whitelisting to block unauthorized Office document execution
- Deploy network segmentation to limit lateral movement from compromised systems
🔍 How to Verify
Check if Vulnerable:
Check Office version against patched versions in Microsoft advisory. Vulnerable if running unpatched version.Check Version:
Open Word > File > Account > About Word (version displayed)Verify Fix Applied:
Verify Office version matches or exceeds patched version listed in Microsoft Security Update Guide📡 Detection & Monitoring
Log Indicators:
- Office application crashes with memory access violations
- Unusual Office child process creation
- Suspicious PowerShell/CMD execution from Office processes
Network Indicators:
- Outbound connections from Office processes to unknown IPs
- DNS queries for command and control domains from Office context
SIEM Query:
source="*office*" AND (event_id=1000 OR process_name="powershell.exe" OR process_name="cmd.exe")