LOW 3.3

CVE-2026-45485: Out-of-Bounds Read in Microsoft Office – Information Disclosure Vulnerability

Microsoft Office contains a flaw that allows an attacker to read data from memory locations outside the intended bounds, potentially exposing sensitive information stored locally on a user's machine. The vulnerability requires local system access and user interaction (such as opening a malicious document), but does not allow the attacker to modify or delete data or crash the application. This is classified as a low-risk issue because it requires presence on the affected system and a user action to trigger exposure.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.3 LOW · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-125
Affected products
16 configuration(s)
Published / Modified
2026-06-09 / 2026-06-19

NVD description (verbatim)

Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45485 is an out-of-bounds read vulnerability (CWE-125) in multiple Microsoft Office installations and related products. The flaw exists in memory access handling, allowing an unauthenticated attacker with local access to read beyond allocated buffer boundaries. The CVSS 3.1 vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) indicates low attack complexity, local attack vector, requirement for user interaction, and limited confidentiality impact with no integrity or availability consequences. Affected versions span Office 2016 through 2024, Microsoft 365 Apps, and certain SharePoint Server deployments.

Business impact

Information disclosure represents a controlled risk in most enterprise settings. The vulnerability could expose document content, metadata, or cached information if an attacker achieves local machine access and tricks a user into opening a specially crafted file. For organizations handling sensitive documents, even limited information leakage warrants attention. However, the requirement for both local presence and user action significantly constrains the attack surface compared to network-based exploits. SharePoint Server instances may carry elevated risk if they process untrusted content at scale.

Affected systems

Microsoft Office 2016, 2019, 2021, and 2024 are affected, along with Microsoft 365 Apps and certain Microsoft 365 deployments. SharePoint Server installations are also listed as vulnerable. The wide version range reflects a persistent issue across multiple Office generations. Organizations running any of these Office versions should inventory deployments and prioritize those handling high-value intellectual property or regulated data.

Exploitability

This vulnerability has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no evidence of active exploitation in the wild at the time of publication. Exploitation requires local system access, which is a significant barrier in most corporate environments with proper endpoint controls. Additionally, user interaction is necessary—the victim must open a malicious document—making reliable exploitation dependent on social engineering effectiveness. These factors keep real-world attack likelihood low for well-managed organizations.

Remediation

Microsoft has released patches addressing this vulnerability across affected Office versions. Organizations should apply vendor security updates through standard patching procedures (Windows Update, Microsoft Update, or manual deployment depending on environment). For Microsoft 365 Apps and cloud-connected instances, updates are often applied automatically. Verify patch availability and deployment status against the specific Microsoft security advisory corresponding to this CVE. Interim mitigations include restricting local system access, disabling Office macro execution if not required, and user awareness training to reduce the likelihood of opening untrusted documents.

Patch guidance

Check Microsoft's official security advisories for CVE-2026-45485 to identify the specific patch versions for each affected Office version (2016, 2019, 2021, 2024) and Microsoft 365 Apps. For Microsoft 365 Apps subscriptions, updates are typically pushed automatically; verify successful installation in File > Account > About. For perpetual Office licenses (2016–2024), deploy patches through Windows Update, WSUS, or manual downloads from the Microsoft Update Catalog. Test patches in a non-production environment before broad deployment, particularly in organizations with legacy add-ins or custom integrations. SharePoint Server administrators should consult server-specific advisories and plan updates according to their maintenance windows.

Detection guidance

Look for failed attempts to open Office documents from unexpected or untrusted sources, particularly if followed by unusual application behavior or memory access patterns. Endpoint Detection and Response (EDR) tools may flag attempts to read out-of-bounds memory within Office processes. Monitor Office application crashes or performance anomalies that could indicate exploitation attempts. File integrity monitoring on document libraries, especially SharePoint repositories, can help detect when documents trigger processing anomalies. User reports of unexpected delays when opening specific files should be investigated. Consider deploying Attack Surface Reduction (ASR) rules in Microsoft Defender to limit Office macro execution and other document-based attack vectors.

Why prioritize this

Despite its low CVSS score, this vulnerability warrants attention in any organization where information confidentiality is paramount. The combination of multiple affected Office versions, no known active exploitation, and the requirement for user action makes this a medium-priority patch for most enterprises. Organizations handling trade secrets, regulated data (HIPAA, PCI-DSS, etc.), or intellectual property should prioritize patching sooner. Companies with strong endpoint controls and user training can defer this update longer without significant risk, but should still plan deployment within a standard patch cycle.

Risk score, explained

The CVSS 3.1 score of 3.3 (LOW) reflects limited real-world attack surface: local access required, user interaction mandatory, no system disruption possible, and only confidentiality impact. The vulnerability does not allow remote exploitation, privilege escalation, or service denial. However, the low score should not be interpreted as 'no risk'—organizations processing sensitive information face meaningful exposure from information disclosure, and the wide range of affected versions increases the likelihood that at least some instances remain unpatched in large deployments. Risk contextualization is essential: low CVSS does not equal low business impact in data-sensitive environments.

Frequently asked questions

Does this vulnerability allow remote exploitation or code execution?

No. CVE-2026-45485 requires local system access and user interaction to trigger. It is purely an information disclosure flaw with no code execution, privilege escalation, or denial-of-service capability.

Is this vulnerability actively being exploited?

There is no evidence of active exploitation. The vulnerability has not been added to CISA's KEV catalog as of the publication date. However, organizations should still patch as part of standard security hygiene.

Does Microsoft 365 cloud-based services need patching?

Microsoft 365 Apps (the cloud-connected variant) receives automatic updates from Microsoft. Verify your update status in File > Account > About. Standalone or on-premises Office deployments require manual patching.

What is the practical impact if my organization is compromised locally?

An attacker with local access could read sensitive information from Office process memory—for instance, contents of recently opened documents or cached credentials—by exploiting this flaw. The risk is information disclosure, not system compromise or data modification.

This analysis is based on publicly available CVE data and vendor advisories as of June 2026. CVSS scores and patch version details reflect official vendor guidance; consult the Microsoft Security Update Guide for authoritative information on affected versions and remediation steps. No exploit code or weaponizable proof-of-concept is provided. Organizations should conduct their own risk assessment based on their environment, data classification, and compliance obligations. This is informational content and does not constitute professional security advice; engage qualified security professionals for deployment decisions. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).