CVE-2026-45458: Microsoft Office Use-After-Free Code Execution Vulnerability
A use-after-free memory vulnerability in Microsoft Office allows an unauthorized attacker to execute arbitrary code on a local system. The vulnerability affects multiple Office products and versions, including Office 2019, 2021, 2024, Microsoft 365 Apps, Word, and SharePoint Server. Exploitation requires local access but does not require user interaction or elevated privileges, making it a significant local privilege escalation and code execution risk.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.4 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 16 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-09
NVD description (verbatim)
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45458 is a use-after-free vulnerability (CWE-416) in Microsoft Office components where freed memory is accessed after deallocation. This memory safety issue can be leveraged to execute arbitrary code in the context of the affected application. The CVSS 3.1 vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates local attack vector, low attack complexity, no privilege requirement, no user interaction, and high impact across confidentiality, integrity, and availability. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the last update.
Business impact
This vulnerability poses a direct threat to endpoint security and data integrity across organizations using affected Microsoft Office versions. An attacker with local system access can achieve arbitrary code execution without requiring user action or elevated privileges, potentially leading to data theft, system compromise, or lateral movement within networks. For organizations managing Office deployments at scale—particularly those using Microsoft 365 Apps or enterprise SharePoint Server—remediation timelines directly affect security posture. The high severity rating and lack of user interaction requirement elevate business risk, especially in environments where local access controls may be weaker.
Affected systems
The vulnerability impacts a broad range of Microsoft Office products: Microsoft 365 Apps, Office 2019, Office 2021, Office 2024, Microsoft Word (across multiple versions), and SharePoint Server. Organizations running any of these versions in production environments should assume exposure. The breadth of affected products—spanning both perpetual licenses (Office 2019–2024) and subscription-based offerings (Microsoft 365 Apps)—means that typical enterprise environments likely contain vulnerable instances unless patches have already been applied.
Exploitability
While the vulnerability is not yet listed on CISA's KEV catalog, its technical characteristics indicate moderate to high exploitability potential. The attack vector is local-only, limiting exposure to scenarios where an attacker already has filesystem or process-level access to a target system. However, the absence of privilege requirements and user interaction means exploitation can occur automatically once code execution is achieved through another vector (e.g., a separate privilege escalation or phishing payload that gains initial code execution). The use-after-free class of vulnerability (CWE-416) is well-understood and exploitable for skilled attackers, though reliability may depend on memory layout and ASLR/DEP bypass techniques.
Remediation
Organizations should prioritize patching all affected Microsoft Office installations. Microsoft typically releases security updates on Patch Tuesday (second Tuesday of each month). Verify against Microsoft's official security advisories for specific patch versions and deployment guidance. Organizations unable to patch immediately should implement compensating controls: restrict local access to systems running Office, enforce application allowlisting to prevent untrusted code execution, monitor for suspicious Office process behavior, and consider disabling unnecessary Office features or sandboxing Office applications in high-risk environments.
Patch guidance
Apply the latest security updates from Microsoft for your specific Office version. Consult Microsoft's official security bulletins and the Microsoft 365 update history pages to confirm patch version numbers and deployment prerequisites. For Microsoft 365 Apps, updates typically roll out automatically, but administrators should verify deployment status in their tenant. For perpetual license versions (Office 2019, 2021, 2024), evaluate your organization's update baseline and schedule patches according to your change management process. Test patches in a non-production environment before broad deployment to ensure compatibility with custom macros, add-ins, or integrated third-party tools.
Detection guidance
Monitor for suspicious Office process behavior, including unexpected child processes, network connections, or file system modifications spawned from Office applications (winword.exe, excel.exe, powerpnt.exe, etc.). Endpoint Detection and Response (EDR) solutions should flag use-after-free exploitation attempts through memory protection alerts and unusual code execution patterns. Application whitelisting and behavioral analytics can help identify abnormal Office activity. Log and review Windows Event Logs for Office application crashes (which may indicate exploitation attempts) and process execution events. Organizations using Microsoft Defender for Office 365 or Defender for Endpoint should ensure threat intelligence signatures are current.
Why prioritize this
CVE-2026-45458 warrants high-priority remediation due to its HIGH severity rating, broad product coverage across enterprise Office deployments, local code execution capability without privilege or user interaction requirements, and the widespread nature of Microsoft Office in modern organizations. The absence of KEV listing does not indicate lower risk; rather, it reflects a recent publication date (June 2026). Any organization with Office 2019 or newer running on systems where local users or attackers could gain access should treat this as a critical patching target. The combination of ease of exploitation (low attack complexity) and high impact (full confidentiality, integrity, availability compromise) justifies immediate action.
Risk score, explained
The CVSS 3.1 score of 8.4 (HIGH) reflects the vulnerability's high impact on system confidentiality, integrity, and availability, coupled with low attack complexity and no privilege or user interaction requirements. The local attack vector constrains the overall score somewhat—this is not a network-exploitable vulnerability—but the lack of authentication or user interaction significantly elevates risk for any system where local code execution is possible. In environments with weak local access controls, this score may underestimate practical risk. Organizations should weight this score against their specific exposure to local attackers or lateral movement paths within their environment.
Frequently asked questions
Does this vulnerability require user interaction to exploit?
No. The CVSS vector explicitly indicates UI:N (no user interaction required). However, exploitation does require local access to the system; it cannot be exploited remotely over a network. An attacker would need to already have local code execution capability (via another vulnerability, supply chain compromise, or physical access) or local user access to trigger this use-after-free.
Is this vulnerability currently being actively exploited?
As of the latest update, CVE-2026-45458 is not listed in CISA's Known Exploited Vulnerabilities catalog, indicating no confirmed active exploitation in the wild. However, the absence of KEV listing does not guarantee the vulnerability is not targeted; it reflects the current state of public threat intelligence. Organizations should not delay patching on this assumption. Use-after-free vulnerabilities are a well-studied attack class, and reliable exploits could be developed by sophisticated actors.
Which Office version should I prioritize for patching first?
All affected versions carry the same vulnerability, but prioritize based on your organization's exposure and risk profile. Microsoft 365 Apps (cloud-connected subscription service) should receive patches first, as Microsoft can push updates more quickly. Enterprise SharePoint Server instances facing external user exposure should be second priority. Perpetual license versions (Office 2019, 2021, 2024) should follow according to your change management schedule, with emphasis on systems in high-security roles or handling sensitive data.
Can I mitigate this without patching?
Full mitigation requires patching. Compensating controls—such as restricting local system access, disabling Office document auto-open features, enforcing application allowlisting, and monitoring for suspicious Office process behavior—can reduce risk but do not eliminate the vulnerability. These controls are best used as interim measures while patches are validated and deployed.
This analysis is based on information available as of the vulnerability's publication date (June 2026). Patch version numbers, availability dates, and KEV status are subject to change; verify all remediation steps against Microsoft's official security advisories and your vendor's guidance before implementation. This document does not constitute professional security advice; organizations should conduct their own risk assessment aligned with their security policies and regulatory requirements. No exploit code or weaponized proof-of-concept details are provided in this analysis. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10000HIGHChrome Sandbox Escape via Use-After-Free in Password Handling
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability