CVE-2026-45471: Microsoft Office Word Pointer Dereference Vulnerability (CVSS 7.8)
A vulnerability in Microsoft Office Word allows an attacker to execute arbitrary code on a victim's computer by exploiting improper handling of pointers in memory. An attacker would need to trick a user into opening a malicious Word document; once opened, the flaw enables local code execution with the privileges of the logged-in user. This is a local attack that requires user interaction but poses significant risk to confidentiality, integrity, and availability of the affected system.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-822
- Affected products
- 16 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-19
NVD description (verbatim)
Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45471 is an untrusted pointer dereference flaw (CWE-822) in Microsoft Office Word. The vulnerability allows an unauthenticated attacker to execute code locally on a system running vulnerable versions of Office. The attack vector is local (AV:L), requires user interaction (UI:R) to open a crafted document, and carries high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). The CVSS 3.1 score of 7.8 reflects the severity of arbitrary code execution coupled with the user-interaction prerequisite.
Business impact
Successful exploitation could allow attackers to compromise individual workstations and gain the ability to steal sensitive data, modify files, install malware, or disrupt business operations. Because this affects Microsoft Office across multiple product lines and deployment models (on-premises and cloud-connected), the attack surface is broad in most organizations. The requirement for user interaction means that phishing campaigns distributing malicious Word documents could effectively weaponize this flaw at scale.
Affected systems
The vulnerability affects multiple Microsoft product families: Microsoft 365 Apps (both cloud and on-premises variants), Microsoft Office 2019, Office 2021, and Office 2024 across all standard editions. Microsoft Word is directly impacted, as are collaborative environments using Microsoft SharePoint Server with Office integration. Organizations running any of these Office versions should assume exposure unless patching has been completed.
Exploitability
While the vulnerability requires local access and user interaction (opening a document), the barrier to exploitation is relatively low. Phishing or social engineering tactics can reliably deliver malicious documents to end users. The flaw does not require special privileges to trigger—any user can be targeted. However, because no exploit has yet been integrated into the Exploit Database or known exploit frameworks according to current intelligence, opportunistic attacks may initially lag behind targeted campaigns. The KEV catalog does not currently list this vulnerability, though organizations should monitor for changes.
Remediation
Organizations must apply security updates released by Microsoft for all affected Office products. Patch availability and version numbers should be verified against the official Microsoft Security Update Guide and the June 2026 security releases. Until patches are deployed, consider restricting opening of Word documents from untrusted sources and implementing application control policies to prevent unauthorized code execution.
Patch guidance
Apply the latest Microsoft security updates for Microsoft 365 Apps, Office 2019, Office 2021, Office 2024, and SharePoint Server. Consult the Microsoft Security Update Guide for specific version numbers and download links; patches should have been released concurrent with or shortly after the June 9, 2026 publication date. Prioritize deployment to systems with high user exposure to external documents. Test patches in a controlled environment before broad rollout to ensure compatibility with line-of-business applications.
Detection guidance
Monitor for unexpected code execution spawned from Office processes (winword.exe, svchost.exe in Office contexts). Endpoint detection and response (EDR) tools should flag suspicious memory access patterns or pointer dereference anomalies. Network indicators may include unusual outbound connections initiated by Office processes. Email security systems should implement stronger scrutiny of Word attachments, particularly from external senders. User education on not opening unexpected document attachments remains a critical detective and preventive measure.
Why prioritize this
With a CVSS score of 7.8 (HIGH) and impact covering confidentiality, integrity, and availability, this vulnerability warrants immediate prioritization. The attack surface is broad—affecting nearly all Office users in most enterprises—and the exploitation mechanism (malicious document delivery) is well-understood and low-friction for attackers. Although not yet in public exploit databases, the combination of high impact and user-interaction prerequisites makes this an attractive target for targeted campaigns and eventual broader exploitation.
Risk score, explained
The CVSS 3.1 score of 7.8 reflects high severity: local code execution (worst-case outcome) triggered by user interaction. The score acknowledges that exploitation requires a victim to open a document and does not require elevated privileges, making it realistically achievable in most organizational environments. The absence from the KEV catalog does not lower the score; it indicates that coordinated exploitation has not yet been documented at government or critical infrastructure scale, but defenders should not interpret this as low risk.
Frequently asked questions
Can this vulnerability be exploited without user interaction?
No. The attacker must convince or trick a user into opening a malicious Word document. This is the critical gating factor; however, phishing and social engineering are reliable and prevalent attack techniques, so user interaction should not be underestimated as a control.
Does this affect Word Online or web-based Office 365 versions?
The vulnerability is documented in the locally-installable Office products (2019, 2021, 2024) and Microsoft 365 Apps. Verify with Microsoft's advisory whether Word Online or browser-based Office 365 components are in scope; pointer dereference issues typically manifest in native code rather than web implementations, but vendor confirmation is essential.
What is CWE-822 and why is it dangerous?
CWE-822 is 'Untrusted Pointer Dereference,' a memory safety defect where an application dereferences a pointer without validating it first. In Office, this allows an attacker to read or write arbitrary memory, leading to information disclosure or code execution. Pointer dereference flaws are among the most critical memory-safety issues in compiled code.
If we patch all Office installations, are we fully protected?
Patching eliminates this specific vulnerability, but it should be part of a broader security posture: restrict document sharing policies, enable sandboxing features in Office if available, maintain EDR coverage, and conduct user awareness training on phishing and malware delivery. No single patch eliminates all risk.
This analysis is based on publicly available vulnerability data published as of June 2026. Specific patch version numbers, availability, and detailed product compatibility should be verified against official Microsoft Security Updates and vendor advisories. No exploit code is provided herein. Organizations should test patches in non-production environments before deployment. This document is for informational purposes and does not constitute security advice tailored to any specific organization's infrastructure or risk profile. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-45643HIGHMicrosoft Office Word Pointer Dereference RCE Vulnerability
- CVE-2026-45645HIGHMicrosoft Office Untrusted Pointer Dereference RCE
- CVE-2026-44805MEDIUMWindows Network Controller Host Agent Use-After-Free DoS Vulnerability
- CVE-2026-10000HIGHChrome Sandbox Escape via Use-After-Free in Password Handling
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10006HIGHChrome WebAudio Race Condition Remote Code Execution