CVE-2025-26630: 
vulnerability analysis and mitigation

A use-after-free vulnerability (CVE-2025-26630) was discovered in Microsoft Office Access that allows an unauthorized attacker to execute code locally. The vulnerability was disclosed on March 11, 2025, affecting Microsoft Access 2016 and potentially other versions (NVD, Microsoft Support).

The vulnerability is classified as CWE-416 (Use After Free) with a CVSS v3.1 base score of 7.8 (HIGH). The attack vector is local (AV:L), with low attack complexity (AC:L), requiring no privileges (PR:N) but does need user interaction (UI:R). The scope is unchanged (S:U) with high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) (NVD).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code in the context of the current user. The Preview Pane is not considered an attack vector for this vulnerability (Rapid7).

Microsoft has released security updates to address this vulnerability. The patch is available through Microsoft Update, Microsoft Update Catalog, and Microsoft Download Center. For Microsoft Access 2016, users need to install security update KB5002697. Note that the update applies to the Microsoft Installer (.msi)-based edition of Office 2016 and not to Click-to-Run editions such as Microsoft Office 365 Home (Microsoft Support).

The vulnerability was discovered and reported by Unpatched.ai, who has been credited with identifying multiple Access vulnerabilities in recent months (Rapid7).