MEDIUM 4.7

CVE-2026-45460: Microsoft Office Buffer Over-Read Information Disclosure Vulnerability

A buffer over-read vulnerability in Microsoft Office could allow an attacker to read sensitive information from a user's computer. The attacker would need to trick a user into opening a specially crafted Office document, but once triggered, the flaw could expose data in memory that shouldn't be accessible. This is a local-only issue affecting the person using the Office application, not a remote attack vector.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.7 MEDIUM · CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-126
Affected products
12 configuration(s)
Published / Modified
2026-06-09 / 2026-07-09

NVD description (verbatim)

Buffer over-read in Microsoft Office allows an unauthorized attacker to disclose information locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45460 is a CWE-126 (buffer over-read) vulnerability in Microsoft Office that enables unauthorized information disclosure through memory access beyond buffer boundaries. The vulnerability requires local access and user interaction—specifically, opening a malicious Office document—but results in high confidentiality impact with no integrity or availability risk. The attack complexity is high, indicating the attack requires specific conditions to succeed. The CVSS 3.1 vector (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) reflects a score of 4.7 (MEDIUM severity).

Business impact

Information disclosure from a buffer over-read can expose sensitive data such as credentials, PII, or proprietary information resident in process memory. For organizations where users routinely handle confidential documents or where Office is used for sensitive workflows, this vulnerability presents a data exfiltration risk. The requirement for user interaction and local access limits the blast radius compared to remote code execution flaws, but the high confidentiality impact warrants risk-based mitigation. Regulatory or compliance concerns may arise if the exposed data includes regulated information (e.g., PII, PHI, financial records).

Affected systems

The vulnerability affects multiple Microsoft Office product lines: Microsoft 365 Apps, Microsoft 365 Copilot, Microsoft 365, Office 2019, Office 2021, and Office 2024. Organizations running any of these versions should be considered at risk. The scope is broad, spanning both subscription-based (Microsoft 365) and perpetual license (Office 2019, 2021, 2024) deployments.

Exploitability

Exploitability is constrained by the requirement for local system access and user interaction. An attacker cannot trigger the vulnerability remotely over the network. Instead, the attacker must craft a malicious Office document and deliver it via email, file sharing, or social engineering—relying on the user to open it. The high attack complexity suggests specific file format conditions or document properties must be present, making widespread automated exploitation less likely. However, targeted attacks against specific users or organizations handling sensitive documents remain plausible.

Remediation

Apply security updates from Microsoft as they become available for affected Office versions. Microsoft typically releases patches via Windows Update, Microsoft Update, or direct downloads through the Microsoft 365 admin center or Office Update channels. Organizations should prioritize patching systems where users handle sensitive documents or work in high-risk roles. Additionally, reinforce user awareness training to avoid opening unsolicited Office documents from untrusted sources.

Patch guidance

Monitor Microsoft Security Updates and the Office release notes for patches addressing CVE-2026-45460. Patches should be evaluated and deployed according to your organization's change management and patch deployment windows. For Microsoft 365 Apps and Microsoft 365 Copilot users, updates may be automatically deployed; verify your update settings in the Microsoft 365 admin center. For perpetual Office versions (2019, 2021, 2024), confirm patch availability through Windows Update or the Office Update mechanism, and test in a non-production environment before broad rollout.

Detection guidance

Monitor for suspicious Office document activity, particularly files with unusual or obfuscated properties that may be crafted to trigger the buffer over-read. Endpoint Detection and Response (EDR) tools can flag abnormal memory access patterns or process behavior following Office document opening. Log Office application crashes or access violations, as failed exploitation attempts may generate detectable signals. Network-level detection is limited since the vulnerability is local-only; focus on host-based monitoring and user reporting of unexpected behavior.

Why prioritize this

Although the CVSS score is MEDIUM (4.7), the vulnerability warrants prioritization in organizations handling sensitive data due to its high confidentiality impact and the broad installed base of Microsoft Office. The low exploitability barriers—requiring only social engineering and a crafted document—make it an attractive vector for targeted attacks. The absence of KEV status indicates no known active exploitation, but organizations should not delay patching based on this; the attack surface is significant and the information disclosure risk is material.

Risk score, explained

The CVSS 3.1 score of 4.7 reflects a MEDIUM severity rating driven primarily by high confidentiality impact (C:H) balanced against attack constraints. Local access requirement (AV:L), high attack complexity (AC:H), and user interaction dependency (UI:R) reduce the score. No integrity or availability impact keeps the score from reaching HIGH. However, context matters: organizations with high-value data or strict regulatory compliance obligations should treat this as higher-priority than the raw CVSS suggests.

Frequently asked questions

Can this vulnerability be exploited remotely over a network?

No. CVE-2026-45460 requires local system access and user interaction. An attacker cannot exploit it by sending a network packet or accessing a remote system directly. Exploitation requires delivering a malicious Office document to a user and convincing them to open it.

What type of information could be disclosed?

The buffer over-read exposes data in the Office application's memory. This could include cached document content, credentials, encryption keys, or other sensitive data that the application or operating system has in RAM. The specific information depends on what the process holds in memory at the time of exploitation.

Do I need to patch if my users don't open untrusted documents?

Strong user behavior reduces risk, but is not a guarantee. Malicious documents can be disguised or arrive through compromised trusted sources. Patching is the definitive remediation and should be applied regardless of user discipline. User awareness training is a complementary control, not a substitute for patching.

Is this vulnerability being actively exploited?

As of the published and modified dates (June–July 2026), CVE-2026-45460 is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no confirmed active exploitation in the wild. However, the absence of KEV status does not mean exploitation is impossible; it reflects current threat intelligence at the time of publication.

This analysis is for informational purposes and based on the CVE record as published. Security assessments should be tailored to your organization's environment, data classification, and risk tolerance. Verify patch availability and compatibility through official Microsoft advisories before deployment. SEC.co makes no warranties regarding the completeness or timeliness of this information. Always consult vendor documentation and your internal security team for deployment decisions. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).