Skip to content
Threat Feed
medium advisory

CVE-2026-41101: Microsoft Office Word Improper Access Control Vulnerability Leading to Local Spoofing

CVE-2026-41101 is a vulnerability in Microsoft Office Word due to improper access control, which allows an authorized attacker to perform spoofing locally, with a CVSS v3.1 base score of 7.1.

CVE-2026-41101 is a security vulnerability affecting Microsoft Office Word. The vulnerability stems from an improper access control issue that allows an authorized attacker to perform spoofing locally. This could potentially allow an attacker with local access to the system to manipulate the user interface or other elements within Word to mislead the user. The vulnerability has a CVSS v3.1 score of 7.1, indicating a high severity level. This vulnerability was disclosed on May 12, 2026, and requires a patch from Microsoft to mitigate the risk. Defenders should prioritize applying the necessary updates to prevent potential exploitation.

Attack Chain

  1. Attacker gains local access to a system with a vulnerable version of Microsoft Office Word.
  2. Attacker crafts a malicious Word document or utilizes an existing document.
  3. The malicious document leverages the improper access control vulnerability.
  4. The vulnerability is triggered when the crafted document is opened by a user with Word.
  5. The attacker spoofs elements within the Word interface.
  6. The spoofing misleads the user, potentially leading to further actions.
  7. Attacker achieves their objective, such as gaining access to sensitive information or tricking the user into running malicious code.

Impact

Successful exploitation of CVE-2026-41101 could allow a local attacker to spoof elements within Microsoft Word, potentially misleading users and leading to further malicious activity. While the impact is limited to local users, the ability to spoof the interface could be used to trick users into providing sensitive information or executing malicious code. The CVSS score of 7.1 reflects the high potential for impact, particularly in environments where local security is not strictly enforced.

Recommendation

  • Apply the security update released by Microsoft to patch CVE-2026-41101 as soon as possible by checking the Microsoft Security Update Guide referenced in this brief.
  • Deploy the Sigma rule “Detect CVE-2026-41101 Exploitation Attempt via Suspicious Word Process Creation” to your SIEM to detect potential exploitation attempts in your environment.
  • Monitor process creation events for unusual Word child processes using the process_creation log source to identify potential exploitation attempts.

Detection coverage 2

Detect CVE-2026-41101 Exploitation Attempt via Suspicious Word Process Creation

high

Detects potential exploitation attempts of CVE-2026-41101 by monitoring for suspicious child processes spawned by Microsoft Word.

sigma tactics: defense_evasion, execution techniques: T1059.001, T1059.003, T1202 sources: process_creation, windows

Detect CVE-2026-41101 Exploitation Attempt via Suspicious Local File Creation

medium

Detects potential exploitation attempts of CVE-2026-41101 by monitoring for suspicious file creation events in local directories.

sigma tactics: defense_evasion, persistence techniques: T1036, T1547.001 sources: file_event, windows

Detection queries are available on the platform. Get full rules →