HIGH 8.4

CVE-2026-45472: Use-After-Free in Microsoft Office Enables Local Code Execution

Microsoft Office contains a use-after-free memory vulnerability that allows an attacker with local access to execute arbitrary code without requiring special user privileges or interaction. This is a serious flaw because it affects multiple versions of Office across both subscription (Microsoft 365) and perpetual licensing models. The vulnerability stems from improper memory management when handling certain Office objects, creating a window where freed memory is accessed, potentially leading to full system compromise.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.4 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416, CWE-787
Affected products
14 configuration(s)
Published / Modified
2026-06-09 / 2026-07-09

NVD description (verbatim)

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45472 is a use-after-free vulnerability (CWE-416) with an additional out-of-bounds write component (CWE-787) in Microsoft Office. The flaw exists in memory handling logic that fails to properly validate object lifecycles before dereferencing pointers. This permits local code execution with no authentication barrier, no user interaction requirement, and no sandboxing bypass needed—the attack surface is directly exploitable from the Office process context. The CVSS 3.1 vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects high confidentiality, integrity, and availability impact confined to the compromised system.

Business impact

This vulnerability poses direct risk to organizations relying on Office for document processing and collaboration. An attacker gaining local system access—through phishing, supply chain compromise, or lateral movement—can escalate to code execution without additional user action, bypassing many behavioral detection controls. For Microsoft 365 subscribers and Office perpetual license holders, this represents an immediate threat to data confidentiality (document exfiltration, credential theft), system integrity (malware installation, backdoor persistence), and availability (ransomware deployment, system shutdown). Organizations with shared workstations, remote desktop environments, or BYOD policies face elevated exposure.

Affected systems

The vulnerability affects Microsoft 365 Apps, Microsoft 365 Copilot, Microsoft 365 (core), Office 2016, Office 2019, Office 2021, and Office 2024. Both perpetual licenses and subscription-based deployments are in scope. Organizations running any combination of these versions require patch deployment. The breadth of affected versions—spanning nearly a decade of Office releases—means remediation cannot rely on version sunsetting alone; nearly all actively maintained Office deployments are vulnerable.

Exploitability

This is a locally exploitable vulnerability with no authentication, no user interaction, and no special privileges required. The attack vector is local (AV:L) and attack complexity is low (AC:L), meaning exploitation does not require advanced techniques or lucky conditions. However, the attacker must first achieve local code execution or local system access through other means. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, but the simplicity of the attack surface and the high-value nature of Office targets make development and weaponization risk significant.

Remediation

Immediate action is required. Consult Microsoft's security advisory for CVE-2026-45472 to identify and apply the appropriate patch version for your specific Office deployment model and version. Organizations should prioritize patching systems with the highest user density, those handling sensitive documents, and systems with external or untrusted-user access. For environments unable to patch immediately, restrict local access to Office systems, disable Office macros via Group Policy if not business-critical, and isolate high-risk workstations.

Patch guidance

Microsoft released security updates for CVE-2026-45472; consult the official Microsoft Security Update Guide and vendor advisories for specific patch versions tied to your Office version and update channel. For Microsoft 365 Apps, ensure automatic updates are enabled or apply patches through your update management tool. For Office 2016, 2019, 2021, and 2024, verify patch availability through Windows Update, WSUS, or direct download from Microsoft. Test patches in a non-production environment first, particularly in VDI or shared workstation scenarios, to confirm compatibility with plugins, templates, and custom solutions.

Detection guidance

Monitor for suspicious process creation or memory access patterns originating from Office executables (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE, MSACCESS.EXE). Use endpoint detection and response (EDR) tools to flag heap corruption attempts, unusual code execution from Office memory spaces, or spawning of child processes with elevated privilege. Windows Event Viewer logs may capture abnormal Office process terminations or access violations. Network detection is unlikely given the local-only attack surface, but monitor for post-exploitation indicators such as credential dumping, lateral movement, or data exfiltration following Office process anomalies.

Why prioritize this

This vulnerability merits immediate remediation due to its CVSS 8.4 (HIGH) severity, the absence of interaction barriers, and the ubiquity of Office in enterprise environments. Although not yet in active public exploitation (KEV status: false), the straightforward attack surface and the value of Office as a post-exploitation springboard create significant risk. Organizations should treat this as a P1 or P2 priority depending on their environment sensitivity and user population exposure.

Risk score, explained

The CVSS 3.1 score of 8.4 reflects a local attack vector requiring no authentication or user interaction, combined with high impact across confidentiality, integrity, and availability. The use-after-free flaw is a well-understood memory corruption primitive that reliably leads to code execution in Office's complex codebase. The score does not account for exploit availability or widespread deployment, but the combination of low barriers to exploitation and high-value target make this a substantial operational risk.

Frequently asked questions

Do I need local system access to exploit this, or can it be triggered remotely?

The vulnerability requires local access to the system (AV:L per the CVSS vector). An attacker cannot directly exploit this over the network from a remote machine. However, if an attacker has already compromised the system remotely or gained initial access through phishing or supply chain means, they can then leverage this use-after-free to escalate code execution privileges locally.

Is there a workaround if I cannot patch immediately?

There is no complete workaround that eliminates the vulnerability. Mitigation strategies include: restricting local logon access to trusted users only, disabling Office macros via Group Policy if they are not required, running Office in a sandboxed or containerized environment if feasible, and segregating high-risk systems on the network. However, these measures reduce but do not eliminate risk; patching is the definitive remediation.

Does this vulnerability affect Office online or web-based versions?

CVE-2026-45472 specifically affects locally installed Office applications (Word, Excel, PowerPoint, Access, etc.) on Windows systems. Office on the Web and Microsoft 365 web apps are not listed as affected because they do not execute the vulnerable memory-handling code. However, users who download documents from Office online and open them in the desktop client become vulnerable.

How long will Microsoft support older versions like Office 2016 with patches?

Office 2016 reached mainstream support end on October 13, 2020, and extended support on October 13, 2025. If a patch is released for this CVE, verify its availability through Microsoft's support lifecycle pages. Older versions nearing or beyond end-of-support may not receive patches, making migration to Office 2021 or 2024 or a Microsoft 365 subscription more prudent for long-term security.

This analysis is based on publicly available information as of the published date. The CVSS score, affected products, and vulnerability details are provided by the source data and should be verified against Microsoft's official security advisories and the National Vulnerability Database (NVD). Patch version numbers and specific remediation timelines must be confirmed with Microsoft before deployment. This page does not constitute legal or compliance advice. Organizations should validate their own risk tolerance, regulatory obligations, and testing procedures before applying patches to production systems. SEC.co makes no warranty regarding exploit availability, real-world attack prevalence, or the completeness of detection signatures mentioned herein. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).