HIGH 8.4

CVE-2026-45474: Critical Use-After-Free in Microsoft Office (CVSS 8.4)

A use-after-free vulnerability in Microsoft Office allows an attacker to execute arbitrary code on a local system without requiring user interaction or special privileges. This is a memory safety issue where the application references memory that has already been freed, potentially enabling complete system compromise through malicious Office documents or crafted input.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.4 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416, CWE-787
Affected products
14 configuration(s)
Published / Modified
2026-06-09 / 2026-07-09

NVD description (verbatim)

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45474 is a use-after-free vulnerability (CWE-416) in Microsoft Office that also exhibits characteristics of a buffer over-read condition (CWE-787). The flaw resides in memory management within Office applications, where freed memory is accessed after deallocation. The attack vector is local (AV:L) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). The vulnerability grants the attacker high confidentiality, integrity, and availability impact (C:H/I:H/A:H), resulting in a CVSS v3.1 score of 8.4 (HIGH severity).

Business impact

This vulnerability poses a significant risk to organizations heavily reliant on Microsoft Office across Microsoft 365, Office 2016, 2019, 2021, and 2024 deployments. An attacker with local access to an affected system can fully compromise it—reading sensitive documents, modifying files, installing malware, or leveraging the compromised machine as a pivot point into the network. For enterprises with shared workstations, terminal servers, or bring-your-own-device policies, the local attack requirement is a practical concern. The absence of user interaction needed makes this particularly dangerous in scenarios where malicious documents are pre-positioned or where initial access is already established.

Affected systems

The vulnerability affects multiple Microsoft Office products and versions: Microsoft 365 Apps, Microsoft 365 Copilot, Microsoft 365, Office 2016, Office 2019, Office 2021, and Office 2024. Organizations using any of these Office editions should inventory affected systems immediately. The breadth of impacted versions—spanning both on-premises installations (Office 2016–2024) and cloud-based deployments (Microsoft 365 Apps and Copilot)—means patch management across hybrid environments will be necessary.

Exploitability

The vulnerability has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog as of the vulnerability's publication and last modification dates. However, the low attack complexity and absence of prerequisites (no privileges, no user interaction required) make this vulnerability inherently exploitable by a local attacker once code execution is achieved through initial access. The flaw does not require social engineering or user error; a well-crafted input triggering the use-after-free condition suffices. Organizations should assume active exploitation is likely once the vulnerability becomes widely known.

Remediation

Patch all affected Microsoft Office installations as soon as patches become available from Microsoft. Verify against official Microsoft security advisories for version-specific patch numbers and deployment guidance. Prioritize Microsoft 365 Apps and Office 2024 deployments first, as these represent the most current and widely deployed versions. For environments with slower patching cadences, apply compensating controls: restrict Office file execution from untrusted sources, disable Office macros in productivity settings, and monitor for suspicious Office process behavior.

Patch guidance

Monitor Microsoft's Security Update Guide and official advisories for patched versions of affected Office products. Organizations should follow their standard patching processes, testing patches in non-production environments first. Given the LOCAL attack vector, prioritize systems where users have access to potentially malicious files or where shared workstations exist. For Microsoft 365 Apps, updates are typically deployed automatically; verify that automatic updates are enabled. For on-premises Office 2016–2024 installations, deploy patches through Windows Update or your organization's patch management system. Verify against the vendor advisory for specific patch version numbers applicable to your deployment.

Detection guidance

Monitor for abnormal Office application behavior, including unexpected process creation, elevated privilege escalation attempts, or unusual memory access patterns. Endpoint Detection and Response (EDR) solutions should flag use-after-free exploitation signatures, though Office-specific detection is limited without behavioral baselines. Log Office application crashes or unusual terminations, as unsuccessful exploitation attempts may leave traces. Network-based detection is limited since the attack is local, but monitor for post-compromise indicators such as lateral movement attempts originating from Office processes. File integrity monitoring on Office configuration and executable directories can help identify tampering.

Why prioritize this

This vulnerability merits immediate attention due to its HIGH CVSS score (8.4), broad product impact spanning enterprise Office deployments, and complete compromise potential. The absence of user interaction or privilege requirements removes significant barriers to exploitation. Although currently not in the KEV catalog, the technical characteristics suggest rapid exploitation capability once public details emerge. Organizations should treat this as a critical patching priority, especially for systems where local users have potential access to untrusted Office documents.

Risk score, explained

The CVSS v3.1 score of 8.4 (HIGH) reflects full impact across confidentiality, integrity, and availability. The local attack vector and low complexity are offset by the complete system compromise potential. The absence of privilege requirements and user interaction significantly elevates risk in multi-user or shared-resource environments. While the attack vector is local, insider threats, supply-chain compromises, or prior network breaches establishing local access are realistic scenarios. The score appropriately reflects a vulnerability requiring urgent remediation.

Frequently asked questions

Does this vulnerability require a user to open a malicious document?

No. While a malicious document could trigger the use-after-free condition, the vulnerability does not strictly require user interaction (UI:N per CVSS). An attacker with local system access can potentially trigger the flaw through other means, such as specially crafted input to Office services or processes running in the background.

Is this vulnerability being actively exploited?

As of the vulnerability's publication date, it has not been added to CISA's Known Exploited Vulnerabilities catalog. However, the low barrier to exploitation and the lack of prerequisites make active exploitation likely once proof-of-concept details are published. Organizations should not rely on KEV status as an indicator of real-world exploitation risk.

Which is more critical: Office 2021 or Microsoft 365 Apps?

Both are critical and should be patched immediately. Microsoft 365 Apps receives updates more frequently and automatically, so patch availability may be faster. Office 2021 and earlier versions may have slower update cycles. Prioritize based on your organization's deployment footprint and risk exposure.

Can network-based firewalls or intrusion prevention systems block exploitation of this vulnerability?

Not effectively, since the attack vector is local. Network controls provide no protection once an attacker has system-level access. Focus remediation efforts on timely patching, endpoint detection and response, and restricting execution of untrusted Office files.

This analysis is provided for informational purposes only and does not constitute professional security advice. Organizations must verify all patch version numbers, affected product versions, and remediation guidance against official Microsoft security advisories and their own environment configurations. SEC.co does not warrant the accuracy or completeness of this assessment. No exploit code, weaponized proof-of-concept, or detailed exploitation techniques are provided or implied. Organizations should consult their security teams and incident response procedures before taking action. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).