Microsoft Issues Critical Outlook, Word and Windows Updates to Patch RCE and Other Flaws
Microsoft released critical security updates addressing three remote‑code‑execution (RCE) flaws in Outlook and Word (CVE‑2026‑45456, CVE‑2026‑45458, CVE‑2026‑47635). The vulnerabilities stem from unsafe memory handling in the Office document‑parsing engine, enabling a crafted email or document to execute arbitrary code when rendered, without user interaction. Microsoft urges immediate installation of the patches for affected Office LTSC 2024 and related builds, and recommends hardening Outlook preview settings and applying layered defenses.
In the June 2026 Patch Tuesday release, Microsoft shipped 206 updates covering Windows, Office, Exchange Server and developer tools. Notable fixes include an elevation‑of‑privilege bug in the Collaborative Translation Framework, a denial‑of‑service issue in HTTP.sys, and a BitLocker recovery‑key bypass. Additional out‑of‑band patches address RCE in SharePoint and Microsoft Teams spoofing. Administrators are advised to prioritize domain controllers, Hyper‑V hosts and Outlook‑heavy desktops when testing and deploying the updates.