CVE-2026-45457: Microsoft Office Word Out-of-Bounds Read Remote Code Execution
A flaw in Microsoft Office Word can allow an attacker to read memory outside the intended bounds and execute malicious code on a user's computer. The attack requires local access and user interaction—someone must open a specially crafted Word document. Once triggered, the vulnerability gives an attacker full control over the affected machine, including the ability to read sensitive data, modify files, or install malware.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-125
- Affected products
- 5 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-09
NVD description (verbatim)
Out-of-bounds read in Microsoft Office Word allows an unauthorized attacker to execute code locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45457 is an out-of-bounds read vulnerability (CWE-125) in Microsoft Office Word that enables arbitrary code execution with local attack vector. The CVSS 3.1 score of 7.8 (HIGH) reflects a low attack complexity and no privilege requirement, but requires user interaction to open a malicious document. The vulnerability resides in Word's document parsing logic, where insufficient bounds checking on memory access allows an attacker to read beyond allocated buffer regions and ultimately achieve code execution in the context of the logged-in user.
Business impact
This vulnerability poses a direct risk to any organization where users work with Word documents from untrusted or semi-trusted sources. Successful exploitation results in complete system compromise under the user's privilege level. In environments handling sensitive intellectual property, customer data, or financial records, this could lead to data exfiltration, regulatory violations, and operational disruption. Remote work scenarios increase exposure, as users may be less cautious opening documents from email or file-sharing services.
Affected systems
Confirmed affected products include Microsoft 365 Apps, Microsoft 365 (the subscription service), Office 2021, and Office 2024. Any organization using these versions is potentially at risk. On-premises deployments of Office 2021 and 2024, as well as cloud-based Microsoft 365 subscriptions, require patching. Verify the exact patch status in your environment against the Microsoft security advisory.
Exploitability
Exploitation requires local access and user action—specifically, the user must open a malicious Word document. There is no remote exploitation vector and no requirement for elevated privileges beforehand. The attack relies on social engineering to deliver the document. As of the vulnerability publication date, there is no evidence of active exploitation in the wild (KEV status: not listed), but the relatively low barrier to initial compromise and high impact make this an attractive target for threat actors once patches lag in real-world environments.
Remediation
Organizations should prioritize patching affected Microsoft Office products as soon as vendor updates become available. Verify patch availability and version numbers through the official Microsoft Security Update Guide. In parallel, implement compensating controls: restrict document opening from untrusted sources, use macroless templates where possible, disable automatic content download, and enforce user awareness training on opening unexpected attachments. For high-risk users, consider disabling legacy document formats or using document conversion workflows.
Patch guidance
Monitor the Microsoft Security Update Guide (portal.msrc.microsoft.com) for patches addressing CVE-2026-45457 across all affected product lines. Patches will likely be released in monthly cumulative updates or out-of-band advisories. Test patches in a non-production environment before broad rollout, particularly in Microsoft 365 environments where automatic updates may be configured. For Office 2021 and 2024 on-premises, coordinate patch deployment with your change management process. Verify successful patch application by confirming the updated Office build version matches the advisory guidance.
Detection guidance
Monitor for suspicious Word document access patterns, particularly opens from temporary, download, or email staging directories. Endpoint Detection & Response (EDR) tools should flag unexpected code execution spawned from WINWORD.EXE or child processes attempting to access system resources, write to HKEY_LOCAL_MACHINE, or execute scripts. Inspect network traffic for unusual outbound connections immediately following document opens. Log all successful and failed document opens in security information and event management (SIEM) systems. Watch for phishing campaigns delivering weaponized .docx files, and correlate document metadata (sender, timestamps, file hashes) across your organization to identify targeted attacks.
Why prioritize this
Despite a lack of current KEV listing, this vulnerability merits immediate prioritization due to its HIGH CVSS score, low attack complexity, and prevalence of Microsoft Office in enterprise environments. The requirement for user interaction, while a limiting factor, is routinely overcome through social engineering. The breadth of affected products—spanning both subscription and perpetual Office licenses—means patch coordination is complex. Organizations should treat this as urgent and allocate resources to testing and deployment within 2–4 weeks of patch availability.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects: local attack vector (AV:L) limiting initial compromise scope; low attack complexity (AC:L) making exploitation straightforward once a malicious document reaches the user; no privilege escalation required (PR:N); user interaction needed (UI:R) to open the document; impact confined to the user's context (S:U); and full compromise across confidentiality, integrity, and availability (C:H, I:H, A:H). The HIGH severity is justified by the combination of ease of exploitation and complete system control upon success. The absence of network-based attack vectors prevents a CRITICAL score.
Frequently asked questions
Do we need to patch immediately if we're not using Office 2024 or Microsoft 365?
If your organization uses Office 2021, Microsoft 365, or Microsoft 365 Apps, you are affected and should prioritize patching. Older versions (Office 2019 and earlier) are not listed as affected by this CVE, but verify against the official Microsoft advisory for your specific build and deployment model.
Can this vulnerability be exploited if a user just receives the malicious document but doesn't open it?
No. The vulnerability requires the document to be opened in Word to trigger the out-of-bounds read and code execution. Simply receiving or storing the file does not pose immediate risk, though users should be educated not to open unexpected attachments.
Are there workarounds if we cannot patch immediately?
Implement defense-in-depth: restrict document opens from untrusted sources, use application whitelisting, disable macros and active content by default, and enforce user warnings for downloaded files. Monitor EDR logs closely for signs of exploitation. However, these measures are not substitutes for patching and should be temporary while you coordinate patch deployment.
Is this vulnerability being actively exploited in the wild?
As of the publication and modification dates provided, there is no evidence of active in-the-wild exploitation, and the vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. However, the low barrier to exploitation and high impact make it attractive to threat actors, so assume exploitation will increase as patch adoption lags in real-world deployments.
This analysis is based on vulnerability metadata current as of the publication and modification dates noted. Patch versions, availability, and KEV status may change; verify all references against the official Microsoft Security Update Guide and CISA advisories before operational decisions. No exploit code or weaponized proof-of-concept details are provided. This document is for informational purposes and does not constitute legal or compliance advice. Organizations must perform their own risk assessment and testing before deploying patches or mitigations. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10889HIGHCritical ANGLE Sandbox Escape in Google Chrome – Patch to 149.0.7827.53
- CVE-2026-10927HIGHChrome Sandbox Escape via Dawn Out-of-Bounds Read
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-11015HIGHCritical Chrome WebGPU Out-of-Bounds Read Vulnerability
- CVE-2026-11077HIGHChrome Dawn Graphics Vulnerability – Sandbox Escape Risk
- CVE-2026-11091HIGHCritical Chrome Memory Corruption Vulnerability in Dawn Graphics Engine
- CVE-2026-11111HIGHChrome Out-of-Bounds Read in ANGLE Graphics Engine — Patch Guidance
- CVE-2026-11191HIGHOut-of-Bounds Memory Access in Chrome ANGLE Library