HIGH 8.4

CVE-2026-45456: Microsoft Office Type Confusion Remote Code Execution Vulnerability

A type confusion flaw in Microsoft Office allows an attacker with local access to execute arbitrary code on a machine without requiring user interaction or elevated privileges. The vulnerability stems from improper handling of incompatible data types in memory, which an attacker can exploit to gain full system compromise including reading, modifying, or deleting files. This is a local-only attack—the attacker must already have a foothold on the system, but once exploited, the impact is severe.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.4 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-843
Affected products
16 configuration(s)
Published / Modified
2026-06-09 / 2026-06-19

NVD description (verbatim)

Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45456 is a type confusion vulnerability (CWE-843) in Microsoft Office that allows local code execution. The flaw occurs when the application accesses a resource using a data type that is incompatible with the resource's actual type, leading to memory corruption. An attacker can craft a malicious Office document or trigger the vulnerability through Office processes to achieve arbitrary code execution with the same privilege level as the Office application. The attack vector is local and requires no user interaction or special permissions, making it dangerous in scenarios where untrusted documents are opened or Office services are exploited.

Business impact

Organizations relying on Microsoft Office for daily operations face risk of localized compromise. If an attacker gains initial access to a user workstation or server running Office, they can leverage this vulnerability to execute code and potentially move laterally through the environment. Knowledge workers opening unvetted documents are a particular risk vector. In environments with shared Office servers (such as SharePoint) or Microsoft 365 deployments, compromise could lead to unauthorized data access, exfiltration, or sabotage. The lack of user interaction or privilege requirement lowers the barrier to exploitation once an attacker has foothold access.

Affected systems

The vulnerability affects multiple Microsoft Office product lines across current and recent versions: Microsoft 365 Apps, Office 2016, Office 2019, Office 2021, and Office 2024. Microsoft SharePoint Server is also impacted. Organizations running any of these versions on Windows systems should assume exposure. Server-based Office deployments (SharePoint, Exchange with embedded Office components) represent additional risk in enterprise environments.

Exploitability

The vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no confirmed public exploit or active exploitation campaign has been observed as of the last data update. However, the low attack complexity, lack of required user interaction, and high impact make this an attractive target for attacker development. Once a reliable exploit is published, the barrier to weaponization is low. Organizations should not rely on the absence of KEV status to defer patching.

Remediation

Microsoft has released security updates addressing this type confusion flaw across affected Office versions. Patch availability varies by product line—verify the specific update version from the Microsoft Security Update Guide that corresponds to your deployed Office version. Apply updates according to your organization's patch management cycle, prioritizing systems that process untrusted documents or run Office services in high-trust environments.

Patch guidance

Check the Microsoft Security Update Guide and your organization's internal patch management system for the specific cumulative or security-only update that resolves CVE-2026-45456 for your Office version (2016, 2019, 2021, 2024, Microsoft 365 Apps, or SharePoint Server). Microsoft typically releases patches on the second Tuesday of each month (Patch Tuesday). Test patches in a non-production environment before broad deployment, especially for Office 2016 and 2019 which have additional legacy compatibility considerations. For Microsoft 365 Apps, updates are typically delivered automatically; verify that your tenant has received the fix.

Detection guidance

Monitor for Office processes spawning unexpected child processes or making unusual system calls, which may indicate type confusion exploitation. Log access to Office-related registry keys and DLLs, especially those related to type marshaling or memory allocation. Endpoint Detection and Response (EDR) solutions should flag Office processes attempting to execute code or access restricted memory regions. Consider restricting execution of Office macros and blocking potentially malicious Office file formats (legacy .xls, .doc, .ppt without macro lockdown) in email gateways and on endpoints. Correlate Office process anomalies with file access logs to detect post-exploitation lateral movement.

Why prioritize this

This vulnerability combines high impact (arbitrary code execution, full system compromise) with low barriers to exploitation (no user interaction, no privilege escalation needed). The broad range of affected Office versions—spanning multiple release channels and deployment models—means most organizations have exposure. While not yet in active exploitation, the lack of required user interaction is a key risk factor that warrants fast-track patching. Organizations with high-value information workers, shared Office environments, or externally-facing document processing should treat this as urgent.

Risk score, explained

CVSS 3.1 score of 8.4 (HIGH) reflects the severe confidentiality, integrity, and availability impact combined with local attack vector and no authentication or user interaction requirements. The score does not decay for attack complexity (low = easy to exploit) or privilege requirements (none). In risk-adjusted assessments, organizations should weight this higher if Office is widely used, documents come from untrusted sources, or SharePoint servers are internet-facing or process user-supplied content.

Frequently asked questions

Can this vulnerability be exploited over the network?

No. The attack vector is strictly local—the attacker must already have access to the target machine. However, once an attacker has a foothold (via phishing, malware, or lateral movement), they can exploit this to escalate or gain code execution without requiring additional user action or special privileges.

Does this affect Microsoft 365 online (cloud-based Office)?

Microsoft 365 online (Office for the Web) is not affected. The vulnerability is in the Office desktop application suite and server products. Users accessing Word, Excel, PowerPoint, etc., through a web browser are safe. However, users with Microsoft 365 Apps installed locally on Windows are exposed.

What should I do if I can't patch immediately?

Reduce risk by restricting which documents users can open (disable macros, block legacy formats), isolating Office from network shares, and monitoring for suspicious Office process behavior. Do not use Office to process untrusted or externally-sourced documents until patched. For SharePoint environments, consider restricting document uploads and applying additional access controls.

Is there public exploit code available?

As of the data cutoff, this vulnerability has not been added to CISA's Known Exploited Vulnerabilities list, and no verified public exploit is reported. This does not guarantee one will not emerge. Treat the vulnerability with urgency even in the absence of confirmed active exploitation.

This analysis is provided for informational purposes and is based on vulnerability data current as of the published date. Patch versions, KEV status, and exploitation details may change. Always verify patch availability and compatibility with your specific Office version and environment through official Microsoft advisories and your organization's patch management process. This document does not constitute security advice; consult your security team and vendor guidance for deployment decisions. SEC.co makes no warranty regarding the completeness or accuracy of exploit information or patch timing across all configurations. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).