May 2026: Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
CVE-2026-35436 Published on May 12, 2026
Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally.
Weakness Type
Insufficient Granularity of Access Control
The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.
Products Associated with CVE-2026-35436
Want to know whenever a new CVE is published for Microsoft products? stack.watch will email you.
Affected Versions
Microsoft 365 Apps for Enterprise:- Version 16.0.1 and below https://aka.ms/OfficeSecurityReleases is affected.
- Version 19.0.0 and below https://aka.ms/OfficeSecurityReleases is affected.
- Version 16.0.1 and below https://aka.ms/OfficeSecurityReleases is affected.
- Version 16.0.0 and below https://aka.ms/OfficeSecurityReleases is affected.