CVE-2026-45463: Integer Underflow in Microsoft Office Enables Local Code Execution
CVE-2026-45463 is a high-severity vulnerability in Microsoft Office products that allows an attacker to execute arbitrary code on a local system without requiring any special privileges or user interaction. The flaw stems from an integer underflow bug—a condition where a numerical calculation wraps around to an unexpectedly large value, corrupting memory and enabling code execution. Because no credentials or user action are needed to trigger the vulnerability, any user with local access to an affected system is at immediate risk.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.4 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-121, CWE-191
- Affected products
- 14 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-09
NVD description (verbatim)
Integer underflow (wrap or wraparound) in Microsoft Office allows an unauthorized attacker to execute code locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
An integer underflow vulnerability (CWE-191) exists in Microsoft Office, compounded by potential memory corruption issues (CWE-121). When Microsoft Office processes specially crafted input, a numerical value can underflow, wrapping around to an extremely large number. This corrupts adjacent memory regions, allowing an attacker to overwrite critical data structures or inject malicious instructions. The vulnerability is triggered locally without requiring user privileges (PR:N) or user interaction (UI:N), and impacts the confidentiality, integrity, and availability of the affected system (C:H/I:H/A:H).
Business impact
This vulnerability poses a significant risk to organizations deploying Microsoft Office across their environment. An attacker with local system access—whether through compromised credentials, physical access, or lateral movement within a network—can execute arbitrary code with the same privileges as the user running Office. This enables theft of sensitive documents, installation of persistent malware, lateral network compromise, and operational disruption. Organizations relying on Office for business-critical workflows should prioritize immediate assessment and patching.
Affected systems
Microsoft 365 Apps, Microsoft 365 Copilot, Microsoft 365, Office 2016, Office 2019, Office 2021, and Office 2024 are affected. The vulnerability spans both subscription-based (Microsoft 365) and perpetual-license Office editions, making it broadly applicable across enterprise and consumer deployments. Verify your specific Office version and update status against the vendor's advisory.
Exploitability
The vulnerability requires local access to the target system, which limits exposure in fully remote work environments but remains a significant risk for hybrid or on-premises settings. No user interaction is required—an attacker can exploit it automatically upon system access. No publicly disclosed exploit code exists as of the advisory date, though the straightforward nature of integer underflow vulnerabilities suggests exploitation is feasible for a capable threat actor. Organizations should assume this will be weaponized if left unpatched.
Remediation
Apply the latest security updates from Microsoft as soon as practical. Microsoft has released patches across all affected Office versions; consult the official Microsoft Security Response Center (MSRC) advisory for version-specific patch numbers and download links. For organizations unable to patch immediately, restrict local system access through strong access controls, network segmentation, and monitoring.
Patch guidance
Obtain patches through Windows Update, Microsoft Update, or the Microsoft Download Center, depending on your Office deployment model. Microsoft 365 subscribers typically receive patches automatically; verify that auto-update is enabled. Organizations managing Office 2016, 2019, 2021, or 2024 should download patches from the vendor's security advisory and validate successful installation across all affected systems. Test patches in a non-production environment before broad deployment to ensure compatibility with business-critical workflows.
Detection guidance
Monitor systems for signs of suspicious local process execution or unexpected code execution from Office applications. Endpoint Detection and Response (EDR) solutions should flag unusual memory access patterns or shellcode-like activity originating from Office processes. Log and alert on failed Office operations or crashes that may indicate exploitation attempts. Organizations should also audit local system access logs to identify which accounts have accessed at-risk Office installations, particularly in the period before patching.
Why prioritize this
This vulnerability merits immediate attention because it combines high severity (CVSS 8.4), broad product impact across Office 2016–2024 and Microsoft 365, and the absence of privilege or interaction requirements. The high integrity and confidentiality impact means attackers can steal data or establish persistence. While the local-access requirement provides some boundary, the ease of initial compromise through phishing or credential theft makes this a meaningful risk. Organizations should prioritize patching over other lower-severity work.
Risk score, explained
The CVSS 3.1 score of 8.4 reflects the combination of local attack vector, low attack complexity, no privilege requirement, no user interaction needed, and high impact across confidentiality, integrity, and availability. The vulnerability does not allow lateral network attacks directly, and it does not affect system availability globally—only the compromised instance—which prevents a perfect 9.8 rating. Nevertheless, the score accurately captures a dangerous flaw that can lead to complete system compromise by a local attacker.
Frequently asked questions
Do I need to be an administrator to exploit this vulnerability?
No. The vulnerability requires local access to the system but no elevated privileges. Any user account with the ability to run Office can be exploited, or an attacker with general local access can trigger the flaw. This makes it particularly dangerous in multi-user or shared-system environments.
Is this vulnerability actively exploited in the wild?
As of the advisory publication date, CVE-2026-45463 is not tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog and no public exploit code has been disclosed. However, organizations should assume threat actors will develop exploit code if the vulnerability remains unpatched. Do not delay patching based on lack of observed exploitation.
What is the difference between Microsoft 365 and Office 2024, and do I need separate patches?
Microsoft 365 is a subscription service that includes Office applications and typically receives automatic updates. Office 2024 is a perpetual-license version that requires manual patching or Windows Update. Check your specific deployment model and ensure all versions in your environment are updated according to the vendor's guidance.
If we only use Office online (Office on the web) and not desktop Office, are we affected?
Office on the web runs in a browser sandbox on Microsoft servers, not locally on your system. The local attack vector requirement means the desktop and subscription-installed versions are the primary concern. However, verify with Microsoft that your specific usage pattern is not affected, and review the complete advisory.
This analysis is based on information available as of the advisory publication date and vendor disclosures. CVSS scores and severity ratings are provided by the vendor; SEC.co does not independently assign CVSS scores. Patch version numbers, CVE ID accuracy, and product lists should be verified against the official Microsoft Security Response Center (MSRC) advisory before deployment. Exploitation details and proof-of-concept code are not provided; refer to vendor guidance and trusted security research for technical validation. This explainer does not constitute legal, compliance, or procurement advice. Organizations should integrate this vulnerability assessment into their own risk management, testing, and patching workflows. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10898HIGHChrome GPU Stack Buffer Overflow Sandbox Escape
- CVE-2026-11024HIGHChrome Skia Stack Buffer Overflow - Patch Guide & Risk Analysis
- CVE-2026-42980HIGHWindows NT Kernel Integer Underflow Privilege Escalation Vulnerability
- CVE-2026-42981HIGHWindows Performance Monitor Integer Underflow RCE
- CVE-2026-45469HIGHMicrosoft Excel Integer Underflow Remote Code Execution Vulnerability
- CVE-2026-45648HIGHActive Directory Stack Buffer Overflow – Windows Server 2022/2025 RCE
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2026-10062HIGHTRENDnet TEW-432BRP Stack Overflow – EOL Hardware Risk