CVE-2026-45461: Microsoft Office Use-After-Free Remote Code Execution Vulnerability
A use-after-free memory flaw in Microsoft Office could allow an attacker with local access to run malicious code on your system with the same privileges as the logged-in user. The vulnerability requires no special permissions or user interaction beyond having access to the machine, making it a serious risk in environments where multiple users or untrusted software might run on the same device.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.4 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416, CWE-787
- Affected products
- 14 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-09
NVD description (verbatim)
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45461 is a use-after-free vulnerability (CWE-416) combined with a buffer overflow issue (CWE-787) in Microsoft Office. The flaw exists in memory management within the Office application suite. When Office processes certain operations, it may reference memory that has already been freed, allowing an attacker to write to or execute from that memory region. This occurs in the local execution context without requiring elevated privileges or user interaction, making the attack surface broader than typical office-based vulnerabilities.
Business impact
This vulnerability poses a direct threat to any organization running Microsoft Office across their user base. Compromised systems could lead to data exfiltration, lateral movement to more critical assets, installation of persistent malware, and operational disruption. The high CVSS score reflects the severity: attackers with local access can achieve confidentiality, integrity, and availability compromise without needing admin rights. In shared computing environments, managed workstations, or scenarios where untrusted code execution is possible, exploitation risk escalates significantly.
Affected systems
Microsoft Office 2016, 2019, 2021, and 2024 are affected, as well as Microsoft 365 Apps and Microsoft 365 Copilot. Organizations running any of these versions—whether as standalone installs or through Microsoft 365 subscriptions—should prioritize assessment. The breadth of affected versions reflects Office's deep penetration across enterprises and means patching will require coordination across multiple deployment channels.
Exploitability
The vulnerability does not appear on CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no public evidence of active exploitation as of the latest update. However, the attack vector is local with low complexity and no privilege requirement. Once a working exploit is developed and shared, the barrier to weaponization is low. The lack of KEV status should not diminish urgency; a use-after-free in Office is an attractive target for threat actors given Office's ubiquity.
Remediation
Microsoft has released patches for affected Office versions. Organizations should verify the specific patch versions applicable to their deployed editions by consulting Microsoft's security advisory and MSRC (Microsoft Security Response Center) bulletin for CVE-2026-45461. Patching should be expedited given the HIGH severity and local attack vector. For Microsoft 365 Apps, patches are typically deployed automatically; verify that automatic updates are enabled and have completed. For Office 2016, 2019, and 2021 standalone installations, manual update deployment may be necessary.
Patch guidance
Contact Microsoft or review the official MSRC advisory for CVE-2026-45461 to identify the specific patched versions for your Office edition. Test patches in a controlled environment before broad rollout to avoid compatibility issues. For Microsoft 365 subscribers, ensure your tenant and client devices are on the latest build. For on-premises Office installations, use your standard change management and deployment tools (SCCM, Intune, Group Policy) to distribute patches. Prioritize user-facing workstations and shared machines where local access risk is highest.
Detection guidance
Monitor for use-after-free exploitation attempts through memory corruption signatures in your EDR/XDR platform. Look for Office applications generating unexpected crashes or exhibiting abnormal memory access patterns. Review process execution logs for Office spawning child processes (cmd.exe, powershell.exe) in contexts where that behavior is unusual. Behavioral indicators include Office processes attempting to allocate large memory regions or accessing memory addresses that deviate from normal application behavior. Endpoint Detection and Response (EDR) tools with memory forensics capabilities are particularly valuable for detecting this class of vulnerability.
Why prioritize this
This vulnerability merits immediate prioritization due to: (1) HIGH CVSS score (8.4) with full confidentiality, integrity, and availability impact; (2) no privilege escalation needed; (3) local attack vector that does not require social engineering or user interaction; (4) extremely broad product coverage spanning Office 2016 through 2024 plus Microsoft 365 suites; (5) absence from KEV catalog does not reduce risk—it reflects current status, not inherent safety. In environments with shared devices, remote desktop services, or containers where untrusted local code execution is possible, the threat is amplified.
Risk score, explained
The CVSS 3.1 score of 8.4 reflects: Attack Vector (Local) = more restricted than network but still applicable to many scenarios; Attack Complexity (Low) = the flaw is straightforward to trigger; Privileges Required (None) = no admin or special access needed; User Interaction (None) = no clicking, opening files, or tricking users; Scope (Unchanged) = impact is limited to the Office process and its context, not system-wide; Confidentiality/Integrity/Availability (all High) = the attacker can read sensitive data, modify files, and crash the application. The result is a HIGH severity vulnerability that demands urgent patching but is mitigated somewhat by the local-only attack vector.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. The attack vector is explicitly local (AV:L), meaning an attacker must have direct access to the machine or be able to execute code on it locally. Remote exploitation is not possible through this vulnerability alone. However, if an attacker gains initial local code execution through another method, this flaw could be chained to escalate impact.
Do we need to worry about this if Office is not in use?
If Office is not installed or running, the immediate exposure is eliminated. However, many organizations cannot avoid Office, making it a standard install. Even unused Office installations present risk if an attacker can trigger the application's code path. We recommend patching rather than relying on non-use.
Will Microsoft 365 Copilot installations be automatically patched?
Microsoft 365 cloud services typically receive patches automatically. However, verify that auto-updates are enabled in your tenant configuration. For Copilot integrated into Office clients, the same patch timeline applies as for the underlying Office version. Check your Microsoft 365 admin center for update status.
What should we do if we cannot patch immediately?
Implement compensating controls: restrict local access and administrative privileges, disable Office macros and plugins from untrusted sources, monitor EDR/XDR for exploitation attempts, and isolate critical machines from general-use networks. Establish a clear patching timeline and communicate it to stakeholders. A high-severity local vulnerability should not remain unpatched for extended periods.
This analysis is based on publicly available vulnerability data as of the publication date. Specific patch versions, availability timelines, and affected sub-versions should be verified against Microsoft's official MSRC advisory. SEC.co does not provide legal or compliance advice; consult your organization's security and legal teams regarding remediation and risk acceptance decisions. This document does not constitute a guarantee of security or immunity from exploitation. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-42909HIGHMicrosoft Remote Desktop Client Race Condition Remote Code Execution
- CVE-2026-42913HIGHRemote Desktop Client Race Condition Allows Network Code Execution
- CVE-2026-42985HIGHRemote Desktop Client Use-After-Free RCE Vulnerability
- CVE-2026-44801HIGHRemote Desktop Client Use-After-Free Code Execution Vulnerability
- CVE-2026-45472HIGHUse-After-Free in Microsoft Office Enables Local Code Execution
- CVE-2026-45474HIGHCritical Use-After-Free in Microsoft Office (CVSS 8.4)
- CVE-2026-47653HIGHRemote Desktop Client Use-After-Free Code Execution Vulnerability
- CVE-2026-47654HIGHCritical RDP Use-After-Free Vulnerability in Windows Server