HIGH 7.8

CVE-2026-45475: Microsoft Office Heap Buffer Overflow Local Code Execution

Microsoft Office contains a heap-based buffer overflow vulnerability that allows an attacker with local access to execute arbitrary code with the privileges of the user running Office. The flaw requires user interaction—such as opening a malicious document—but once triggered, provides complete control over the affected system. This is a serious local privilege escalation risk for organizations relying on Microsoft Office across their workforce.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-122
Affected products
16 configuration(s)
Published / Modified
2026-06-09 / 2026-06-19

NVD description (verbatim)

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45475 is a heap-based buffer overflow (CWE-122) in Microsoft Office affecting multiple product lines and versions. The vulnerability has a CVSS 3.1 score of 7.8 (HIGH) with a vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The attack vector is local, requires no privileges to initiate, and demands only user interaction. The impact scope is unchanged but confidentiality, integrity, and availability are all fully compromised. The flaw resides in heap memory management within Office's document processing engine, allowing an attacker to corrupt memory structures and gain code execution in the context of the application.

Business impact

An attacker exploiting this vulnerability can steal sensitive information from Office documents, modify business-critical files, or use a compromised system as a pivot point into enterprise networks. Given Office's ubiquity in business environments, the potential blast radius is significant. Attackers could target knowledge workers with spear-phishing campaigns delivering weaponized documents, leading to data exfiltration, intellectual property theft, or lateral movement to backend systems. For organizations handling classified, regulated, or proprietary information, this poses a material compliance and operational risk.

Affected systems

The vulnerability affects Microsoft 365 Apps, Office 2016, Office 2019, Office 2021, Office 2024, and Microsoft 365 (which includes SharePoint Server in hybrid deployments). The broad version coverage means most organizations running Microsoft Office are potentially exposed. Verify your exact product SKUs and versions against the vendor advisory to confirm affected editions.

Exploitability

Exploitability is moderate in terms of attack complexity—the flaw requires local file system access and user action (opening a document)—but the barrier to weaponization is low. An attacker need only craft a malicious Office document and distribute it via email or file sharing. No network access is required, and the user does not need administrative privileges to trigger the overflow. Since no public exploits are currently tracked in CISA's KEV database, the risk of widespread automated attacks remains lower than for actively exploited vulnerabilities, but this should not be mistaken for low urgency given the ease of weaponization.

Remediation

Apply security updates from Microsoft immediately upon release. Microsoft typically bundles Office patches in monthly cumulative updates (Patch Tuesday). Organizations should prioritize deployment to machines handling sensitive data and those owned by high-value targets (executives, engineers, finance staff). For on-premises Office installations (2016, 2019, 2021, 2024), consult Microsoft's update guidance for your specific version. Microsoft 365 subscribers will receive updates automatically, but verify that auto-update policies are enabled. Until patches are applied, restrict document sharing from external sources and enforce mail gateway scanning for suspicious Office files.

Patch guidance

Monitor Microsoft's official security updates and advisories for CVE-2026-45475. Patches will vary by product line: Microsoft 365 Apps receives updates through the Update Channel you configure (Current Channel, Monthly Enterprise Channel, or Semi-Annual Enterprise Channel); traditional Office versions require KB article downloads or Windows Update. Test patches in a pilot environment before broad deployment to ensure compatibility with line-of-business add-ins and macros. Document your patching timeline and maintain records of patched versus unpatched systems for audit purposes.

Detection guidance

Monitor for Office process crashes, unexpected child process spawning from Office applications (winword.exe, excel.exe, powerpnt.exe, outlook.exe), and heap corruption indicators in event logs. Endpoint Detection and Response (EDR) solutions can flag suspicious memory access patterns or shellcode injection attempts targeting Office processes. Network-based detection is limited since the attack is local, but monitor email gateways for Office document attachments from untrusted senders. Consider blocking potentially dangerous file types or requiring user confirmation before opening documents from external sources.

Why prioritize this

This vulnerability warrants HIGH priority remediation because it combines high severity (7.8 CVSS) with broad product coverage and ease of weaponization. Local attacks often precede lateral movement in multi-stage breaches, making this an excellent initial foothold for persistent threats. The requirement for user interaction is low friction in a business environment where document sharing is routine. Although not yet in active exploitation (per KEV status), the attack surface is large and the impact is severe.

Risk score, explained

The CVSS 3.1 score of 7.8 reflects the combination of local attack vector, low attack complexity, no privilege requirement, user interaction, and full compromise of confidentiality, integrity, and availability. The score does not incorporate threat intelligence (e.g., active exploitation or weaponization prevalence), which would elevate risk scoring in a real-world assessment. Organizations should layer detection and access controls to reduce the likelihood of user interaction with malicious documents.

Frequently asked questions

Do I need administrative privileges to be exploited by this vulnerability?

No. An attacker can trigger the heap overflow and gain code execution with the same privilege level as the user running Microsoft Office. However, the attacker's access is then limited to that user's rights. On systems where users run as standard users (not local administrators), the impact is contained to that user's files and network shares. On systems where users have administrative privileges, the attacker gains fuller system compromise.

Is this vulnerability being actively exploited in the wild?

No. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning there is no confirmed evidence of active exploitation in the wild at this time. However, this does not mean an exploit does not exist or will not emerge. Attackers often develop exploits before public disclosure. We recommend treating this as urgent regardless of KEV status given the severity and ease of weaponization.

Will Microsoft 365 auto-update protect me without my intervention?

Yes, Microsoft 365 Apps (cloud-connected subscriptions) will receive automatic security updates if your auto-update policies are enabled. Check your update channel settings in Office to confirm. However, on-premises versions (Office 2016, 2019, 2021, 2024) require manual patching or Windows Update. Hybrid environments mixing cloud and on-premises must ensure both paths are patched.

What should I do immediately while awaiting patches?

Disable or restrict opening Office documents from external or untrusted sources. Use mail gateway and content filtering to block potentially dangerous attachments. Educate end users not to open unexpected documents. Consider disabling Office macros if your workflow permits. Monitor for suspicious Office process behavior using EDR tools. Prioritize patching for high-value targets and sensitive data handlers.

This analysis is based on official vendor disclosures and CVE metadata current as of June 2026. Patch version numbers, availability dates, and specific update procedures should be verified directly against Microsoft's security advisory for CVE-2026-45475. SEC.co makes no warranty regarding the accuracy or completeness of third-party vendor patch information. Organizations must conduct their own testing and risk assessment before deploying patches to production systems. Exploit code and detailed technical POCs are not provided herein and should not be created for operational systems without appropriate authorization and containment measures. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).