LOW 3.3

CVE-2026-45455: Microsoft Office Excel Out-of-Bounds Read Information Disclosure

A flaw in Microsoft Office Excel can allow an attacker to read memory that shouldn't be accessible, potentially exposing sensitive information on a local system. The vulnerability requires user interaction—someone must open a specially crafted Excel file—but once triggered, it could leak data like file contents or system details. This is a low-severity issue with no direct impact on system availability or file integrity.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.3 LOW · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-125
Affected products
14 configuration(s)
Published / Modified
2026-06-09 / 2026-07-09

NVD description (verbatim)

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45455 is an out-of-bounds read vulnerability (CWE-125) in Microsoft Office Excel. The flaw enables unauthorized information disclosure through local access when a user opens a malicious spreadsheet. The attack vector is local, requires no elevated privileges, and depends on user interaction. The CVSS 3.1 score of 3.3 (LOW) reflects the confidentiality impact without integrity or availability consequences. The vulnerability affects multiple Microsoft Office suites and deployment models, including Microsoft 365 Apps, Office 2019, 2021, 2024, and Office Online Server.

Business impact

Information disclosure from this vulnerability poses a moderate business risk depending on the sensitivity of data accessible in the victim's Excel working environment. A user opening a malicious spreadsheet could inadvertently expose customer data, financial records, or other sensitive information resident in memory. The impact is confined to individual endpoints, not system-wide, and does not enable further lateral movement or system compromise. Organizations handling sensitive data in Excel should treat this as a containment issue, not an enterprise crisis.

Affected systems

The vulnerability spans Microsoft's entire Office ecosystem: Microsoft 365 Apps, Excel standalone, Microsoft 365 (subscription service), Office 2019, Office 2021, Office 2024, and Office Online Server. Organizations with any of these installations—particularly those using modern Microsoft 365 deployments—should inventory affected assets. Legacy Office 2019 installations remain in scope. Online Server deployments affect shared document environments.

Exploitability

Exploitation requires local system access and user interaction; an attacker cannot trigger this remotely or without clicking a file. The barrier to exploitation is moderate: an attacker must craft a malicious Excel file and convince a user to open it. There is no known public exploit code, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog, suggesting limited real-world weaponization. Email-based file delivery or file-sharing platforms are likely attack vectors.

Remediation

Apply security updates from Microsoft as they become available for your affected Office installation. Verify patches against the official Microsoft Security Update Guide for CVE-2026-45455. For Microsoft 365 Apps and Office Online Server, updates are typically automatic; confirm with your tenant administrator that auto-updates are enabled. Organizations using Office 2019 or 2021 should prioritize patching if those versions remain in use.

Patch guidance

Consult Microsoft's official security advisory and the Security Update Guide for CVE-2026-45455 to identify the specific patch version for your installation. Microsoft 365 Apps customers should verify that automatic updates are enabled in their tenant settings. For on-premises installations (Office 2019, 2021, 2024), apply patches through Windows Update or the Microsoft Update Catalog. Test patches in a non-production environment before broad deployment.

Detection guidance

Monitor for unusual file-opening activity in Excel, particularly around the time of user reports or known phishing campaigns. Endpoint Detection and Response (EDR) tools can flag abnormal memory access patterns during Excel operations. Review user email and file-sharing logs for suspicious spreadsheet attachments. Given the out-of-bounds read nature, look for unexpected data reads from Excel processes in memory forensics. User awareness training on opening unexpected spreadsheets is a practical supplementary measure.

Why prioritize this

This vulnerability merits timely but not emergency patching. The CVSS score of 3.3 (LOW) and lack of KEV inclusion indicate limited active exploitation. However, information disclosure risks warrant remediation, especially for organizations handling regulated data (PII, financial records, health information). Prioritize patching systems used by high-risk user groups (finance, legal, HR) over general staff. The user-interaction requirement and local-only attack vector make this a lower priority than remote, unauthenticated flaws.

Risk score, explained

The CVSS 3.1 score of 3.3 reflects a vulnerability with confidentiality impact but no integrity or availability consequences. The local attack vector and required user interaction reduce the overall severity. While information disclosure is a concern, the limited scope (single-user impact, no lateral movement) and lack of active exploitation keep the score in the LOW range. Organizations should not interpret LOW severity as 'ignore'—timely patching remains prudent, particularly where sensitive data is processed in Excel.

Frequently asked questions

Can this vulnerability be exploited without user interaction?

No. An attacker must convince a user to open a malicious Excel file. There is no remote exploit mechanism.

Will patching Microsoft 365 Apps happen automatically?

Yes, Microsoft 365 Apps apply security updates automatically by default. Verify with your tenant administrator that auto-update policies are enabled. On-premises Office installations require manual patching.

What data could be exposed if exploited?

The out-of-bounds read could expose data resident in Excel's memory during operation—potentially customer lists, financial figures, formulas, or other sensitive spreadsheet contents. The specific exposure depends on what the victim had open at the time.

Is this vulnerability being actively exploited in the wild?

No. The vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog, and no public exploit code has been disclosed, indicating minimal real-world weaponization to date.

This analysis is based on publicly available information and CVE data current as of the publication date. Patch versions, vendor advisories, and exploitation status may change; verify all technical details against Microsoft's official security advisories. This advisory does not constitute legal or compliance advice. Organizations should consult their own security teams and conduct risk assessments specific to their environment and data classification. No exploit code or weaponization details are provided herein. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).