CVE-2026-33824
A remote code execution vulnerability exists in Microsoft Office and Outlook due to an OLE object handling bug. An attacker could exploit this vulnerability by sending a specially crafted email; previewing the email in the Outlook Preview Pane is sufficient to trigger exploitation without requiring the user to open the message. Successful exploitation allows arbitrary code execution in the context of the user. The vulnerability was disclosed as part of the Microsoft April 2026 Patch Tuesday release, which remediated 167 vulnerabilities. This CVE was rated Critical severity with a CVSS 8.4 base score. The Preview Pane attack vector significantly increases exploitability as no user interaction beyond viewing the email preview is required.
CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-843
Threats tracking this CVE
References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33824
- https://nvd.nist.gov/vuln/detail/CVE-2026-33824