CVE-2026-33114
Published: 14 April 2026
Summary
CVE-2026-33114 is a high-severity Untrusted Pointer Dereference (CWE-822) vulnerability. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 23.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2026-33114 is an untrusted pointer dereference vulnerability (CWE-822) in Microsoft Office Word. It enables an unauthorized attacker to execute arbitrary code locally on a victim's machine. The vulnerability has a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete compromise of confidentiality, integrity, and availability with low complexity and no privileges required.
An attacker with local access to the target system can exploit this vulnerability by tricking a user into opening a maliciously crafted Word document. No user interaction beyond opening the file is needed, and no special privileges are required. Successful exploitation allows the attacker to execute code in the context of the Word process, potentially leading to full system compromise, such as privilege escalation, data theft, or deployment of malware.
For mitigation guidance and patch details, refer to the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33114.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22631
Vulnerability details
Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Untrusted pointer dereference in Microsoft Word enables arbitrary code execution when a crafted document is opened, directly mapping to exploitation of a client application vulnerability.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the untrusted pointer dereference vulnerability in Microsoft Office Word through timely identification, reporting, and patching of flaws.
Implements memory protection mechanisms like ASLR and DEP to mitigate arbitrary code execution from untrusted pointer dereferences in Word documents.
Enforces hardened configuration settings for Microsoft Office, such as Protected View, to safely handle untrusted documents and prevent exploitation.