Microsoft's June 2026 Patch Tuesday brought a fix for CVE-2026-44821, an information disclosure vulnerability in Microsoft Office rated Important. The flaw, caused by an out-of-bounds read, could allow a local attacker to extract sensitive data from memory. While Windows updates are rolling out, the patch for Office for Mac is conspicuously absent, leaving Apple users exposed until an unspecified later date. SharePoint Server deployments are also affected, making prompt patching critical for enterprise environments.

The vulnerability surfaced on June 9, 2026, alongside a wave of other security fixes. Microsoft's advisory warns that an attacker who successfully exploits CVE-2026-44821 could access memory contents that are normally off-limits. The attack vector is local, meaning the malicious actor needs either physical access to the device or the ability to run code on the target system through another method—such as social engineering or a companion exploit. Once exploited, the out-of-bounds read can reveal encryption keys, authentication tokens, or other confidential data that should remain hidden.

The Out-of-Bounds Read Explained

Out-of-bounds read vulnerabilities occur when software tries to access a memory location beyond the intended buffer. In the context of Office, this might happen while parsing a document, opening a specially crafted file, or processing embedded objects. An attacker can supply a malformed Office file that triggers the flaw, forcing the application to spill its internal secrets. Because Office handles a wide range of document formats and integrates deeply with the operating system, the leaked data can have far-reaching consequences.

Unlike remote code execution bugs, information disclosure alone doesn't give direct control over a system. However, it can serve as a stepping stone in a larger attack chain. For example, disclosing a credential used for a service account or a session token could let an attacker move laterally within a network. Security teams often treat info leaks as critical precursors to more damaging breaches.

Affected Products and Attack Surface

Microsoft's advisory identifies the following affected software:

  • Microsoft Office 2026 for Windows (all editions)
  • Microsoft 365 Apps for enterprise (current channel and LTSC)
  • SharePoint Server Subscription Edition and SharePoint Server 2026

Office for Mac is listed as affected, but no update is yet available—a detail Microsoft attributes to "development delays." This marks a rare gap in the company's simultaneous release cadence for macOS and Windows productivity suites. Administrators managing mixed-platform fleets must now contend with a patch asymmetry that could last days or weeks.

SharePoint Server's presence on the list stems from its use of Office components for document rendering and collaboration. An authenticated user on SharePoint could abuse the flaw by uploading a specially crafted file that, when processed by the server, leaks memory from the farm. Web Application firewalls (WAFs) and input validation may offer partial shielding, but the only comprehensive fix is the update.

Severity and Real-World Impact

Microsoft classifies CVE-2026-44821 as Important rather than Critical. The ranking reflects the local attack vector and the confidentiality-only impact—there is no integrity or availability loss. However, don't let the label lull you into complacency. Many memorable attacks, from the Shadow Brokers leaks to modern ransomware campaigns, have woven info disclosure bugs into their exploit chains.

The CVSS v3.1 base score for this vulnerability has yet to be published by the National Vulnerability Database, but internal estimates suggest a range of 5.5 to 6.3 depending on the environment. The biggest variable is the complexity of exploit development: an attacker needs to craft a reliable file-based trigger and have a way to retrieve the leaked memory, which may be influenced by ASLR and other mitigations.

At the time of disclosure, Microsoft stated it had no evidence of active exploitation in the wild. That assessment can change quickly, especially if proof-of-concept code circulates online. The window for Windows users to patch is now; for Mac users, it's a waiting game.

Mitigation and Workarounds

Until the update is applied, Microsoft suggests two workarounds for those who cannot immediately patch:

  • Disable Office macro execution where possible. While not a direct mitigation for the out-of-bounds read, macros are a common delivery vector for weaponized documents. Limiting them reduces the chance that an attacker can combine this flaw with other code execution methods.
  • Use Protected View and Application Guard features in Office. Opening untrusted documents in these sandboxed environments can limit the attacker's ability to read process memory outside the container.

For SharePoint, the only reliable workaround is to restrict uploads from untrusted sources and enforce strict content inspection. Large enterprises should also consider short-term network segmentation or restricting authenticated access to SharePoint portals until patching is complete.

Detection Guidance

Defenders can hunt for potential exploitation attempts by monitoring for abnormal Office process behavior. Indicators might include:

  • Unexpected child processes spawned by WINWORD.EXE or EXCEL.EXE.
  • Access to suspicious memory regions via tools like Sysmon event ID 10 (ProcessAccess).
  • Sudden crashes in Office applications followed by data extraction attempts.

Endpoint detection and response (EDR) solutions can be tuned to flag any Office process reading sensitive files or making outbound network connections after handling a document. Microsoft has shared basic detection logic through its Security Response Center blog, which administrators should adapt to their SIEM rules.

Patch Deployment Strategy

The patch is delivered through Microsoft Update, Windows Server Update Services (WSUS), and the Microsoft 365 update channel. For Windows users, installation is straightforward:

  1. Open Settings → Windows Update.
  2. Click "Check for updates."
  3. Install all pending patches, especially those with the June 2026 security tag.

IT administrators should prioritize devices where users work with untrusted Office documents—executives, legal teams, HR personnel, and anyone who frequently opens email attachments. SharePoint patches require a server update and possibly a configuration refresh; review Microsoft's deployment guides for your specific server version to avoid downtime.

Office for Mac users face a different reality. The update will eventually appear in the Microsoft AutoUpdate tool, but no timeline has been provided. In the interim, macOS users should exercise extreme caution with Office documents from unknown sources. Consider using the web-based Office apps as a stopgap, as these are protected by cloud-side mitigations.

The Bigger Picture: Office Security in 2026

CVE-2026-44821 is the third Office info disclosure vulnerability patched in 2026, continuing a trend that reflects the complexity of maintaining a legacy-rich codebase. Office remains a prime target precisely because it's ubiquitous across enterprises and processes an enormous variety of file types.

Microsoft has invested heavily in memory-safe languages and isolation technologies, but moving a 40-year-old product suite off C++ is a multi-decade journey. In the short term, each Patch Tuesday brings incremental improvements. June's release also featured fixes for two critical RCEs in Excel and a privilege escalation in Outlook, underscoring the pressure on security teams to maintain an aggressive update cadence.

What's Next?

With the patch now available, the focus shifts to adoption velocity. Historical data shows that over 60% of Windows devices are patched within 30 days, but the remaining 40% leave a long tail of exploitable endpoints. The Mac delay adds uncertainty: until Apple users receive their fix, the entire attack surface cannot be considered closed.

Microsoft has promised an out-of-band update for Office for Mac "soon," a phrase that leaves CISOs uneasy. In the meantime, monitor your Extended Detection and Response (XDR) dashboards for any signs of anomalous Office activity. If you haven't already, implement application allowlisting and restrict macro execution to signed, trusted documents only.

CVE-2026-44821 isn't the most headline-grabbing bug of 2026, but its information disclosure nature makes it a valuable tool for sophisticated attackers. Apply the patch, stifle the attack vector, and keep a hawk-eye on your Mac fleet.