What is CVE-2021-28453?

CVE-2021-28453 is a vulnerability that allows remote attackers to execute arbitrary code on affected installations of Microsoft Word.

How does CVE-2021-28453 work?

CVE-2021-28453 works by exploiting a use-after-free vulnerability in the parsing of DOC files in Microsoft Word.

Is user interaction required to exploit CVE-2021-28453?

Yes, user interaction is required to exploit CVE-2021-28453. The target must visit a malicious page or open a malicious file.

Which versions of Microsoft Word are affected by CVE-2021-28453?

CVE-2021-28453 affects Microsoft Word 2010, 2013, 2016, and 2019.

How can I fix CVE-2021-28453?

To fix CVE-2021-28453, apply the security patches provided by Microsoft for the affected versions of Microsoft Word.

Vulnerability/
CVE-2021-28453

high

7.8

13/4/2021

16/1/2024

3/8/2024

CVE-2021-28453: Microsoft Word DOC File Parsing Use-After-Free Remote Code Execution Vulnerability

First published: Tue Apr 13 2021(Updated: )

Microsoft Word Remote Code Execution Vulnerability

Credit: secure@microsoft.com secure@microsoft.com

Affected Software	Affected Version	How to fix
Microsoft Word
Microsoft Office 2010		fix available externally
Microsoft SharePoint Enterprise Server 2013		fix available externally
Microsoft Word 2010		fix available externally
Microsoft Word 2013		fix available externally
Microsoft Word 2016		fix available externally
Microsoft 365 Apps for Enterprise		fix available externally
Microsoft Office 2019 for 64-bit editions		fix available externally
Microsoft Word 2016		fix available externally
Microsoft SharePoint Server 2019		fix available externally fix available externally
Microsoft SharePoint Enterprise Server 2016		fix available externally fix available externally
Microsoft Office Online Server		fix available externally
Microsoft SharePoint Server 2010		fix available externally
Microsoft Word 2013		fix available externally
Microsoft Word 2010		fix available externally
Microsoft Office 2019 for Mac		fix available externally
Microsoft 365 Apps for Enterprise		fix available externally
Microsoft Office Web Apps Server 2013		fix available externally
Microsoft Office 2010		fix available externally
Microsoft Office 2019 for 32-bit editions		fix available externally
Microsoft Office Web Apps 2010		fix available externally
Microsoft Word 2013 RT		fix available externally
Microsoft 365 Apps
Microsoft Office	=2019
Microsoft Office	=2019
Microsoft Office Online Server
Microsoft Office Web Apps	=2010-sp2
Microsoft Office Web Apps Server	=2013-sp1
Microsoft SharePoint Server	=2010-sp2
Microsoft SharePoint Server	=2013-sp1
Microsoft SharePoint Server	=2016
Microsoft SharePoint Server	=2019
Microsoft Word	=2010-sp2
Microsoft Word	=2013-sp1
Microsoft Word	=2013-sp1
Microsoft Word	=2016

Remedy

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-28453

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2021-28453?
CVE-2021-28453 is a vulnerability that allows remote attackers to execute arbitrary code on affected installations of Microsoft Word.
How does CVE-2021-28453 work?
CVE-2021-28453 works by exploiting a use-after-free vulnerability in the parsing of DOC files in Microsoft Word.
Is user interaction required to exploit CVE-2021-28453?
Yes, user interaction is required to exploit CVE-2021-28453. The target must visit a malicious page or open a malicious file.
Which versions of Microsoft Word are affected by CVE-2021-28453?
CVE-2021-28453 affects Microsoft Word 2010, 2013, 2016, and 2019.
How can I fix CVE-2021-28453?
To fix CVE-2021-28453, apply the security patches provided by Microsoft for the affected versions of Microsoft Word.

agent/type
agent/last-modified-date
agent/first-publish-date
collector/msrc-cve
source/Microsoft
agent/author
collector/zdi-advisory
source/ZDI
alias/ZDI-21-423
alias/ZDI-CAN-12701
alias/CVE-2021-28453
agent/software-canonical-lookup
agent/references
agent/remedy
agent/title
agent/severity
agent/description
agent/event
collector/nvd-api
source/NVD
agent/software-canonical-lookup-request
collector/nvd-index
agent/softwarecombine
agent/tags
collector/mitre-cve
source/MITRE
vendor/microsoft
canonical/microsoft word
canonical/microsoft office 2010
canonical/microsoft sharepoint enterprise server 2013
canonical/microsoft word 2010
canonical/microsoft word 2013
canonical/microsoft word 2016
canonical/microsoft 365 apps for enterprise
canonical/microsoft office 2019 for 64-bit editions
canonical/microsoft sharepoint server 2019
canonical/microsoft sharepoint enterprise server 2016
canonical/microsoft office online server
canonical/microsoft sharepoint server 2010
canonical/microsoft office 2019 for mac
canonical/microsoft office web apps server 2013
canonical/microsoft office 2019 for 32-bit editions
canonical/microsoft office web apps 2010
canonical/microsoft word 2013 rt
canonical/microsoft 365 apps
canonical/microsoft office
version/microsoft office/2019
canonical/microsoft office web apps
version/microsoft office web apps/2010-sp2
canonical/microsoft office web apps server
version/microsoft office web apps server/2013-sp1
canonical/microsoft sharepoint server
version/microsoft sharepoint server/2010-sp2
version/microsoft sharepoint server/2013-sp1
version/microsoft sharepoint server/2016
version/microsoft sharepoint server/2019
version/microsoft word/2010-sp2
version/microsoft word/2013-sp1
version/microsoft word/2016