CVE-2026-45486: Microsoft Office Word Use-After-Free RCE Vulnerability
A use-after-free vulnerability in Microsoft Office Word allows an attacker with local system access to execute arbitrary code by manipulating memory that has already been freed. The flaw requires user interaction—specifically opening a malicious document—but once triggered, grants the attacker full system-level privileges. This is a local execution vulnerability, not a network-based attack, meaning the attacker must either have initial access to the machine or trick a user into opening a hostile file.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416
- Affected products
- 5 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-09
NVD description (verbatim)
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45486 is a use-after-free (CWE-416) memory safety vulnerability in Microsoft Word. The vulnerability exists in how Word handles certain document objects during parsing or rendering. When a specially crafted Office document is opened, Word may reference memory that has been freed, leading to a controlled code execution primitive. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) reflects local attack surface, low complexity, requirement for user interaction, and complete compromise of confidentiality, integrity, and availability on the affected system.
Business impact
A successful exploit of this vulnerability could allow an attacker to assume full control of an affected user's workstation, including the ability to read sensitive files, modify business-critical documents, install persistent malware, or pivot to corporate network resources. For organizations heavily dependent on Microsoft Office, particularly those with remote or hybrid workforces handling untrusted documents, this poses a material risk to data confidentiality and business continuity. The reliance on user interaction (opening a malicious document) makes social engineering a likely attack vector.
Affected systems
Affected products include Microsoft 365 Apps, Office 2021, and Office 2024. The vulnerability affects both subscription-based Microsoft 365 installations and perpetual-license versions. Users of Word as a standalone application or as part of Microsoft 365 suites are in scope. Organizations managing multiple Office versions should inventory all affected installations across their environment.
Exploitability
While the vulnerability requires local access and user interaction to trigger, these constraints are not exceptionally high in practice. Malicious documents can be distributed via email, file-sharing services, or compromised websites. Once a user opens the document—a routine action in business environments—code execution occurs automatically without additional user prompting. The relatively low attack complexity and high impact make this an attractive target for adversaries. However, the absence of CVE-2026-45486 from the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date indicates active exploitation has not yet been publicly confirmed.
Remediation
Microsoft is expected to release security updates addressing this vulnerability. Organizations should apply patches to all affected Office installations as soon as they become available. Interim mitigations may include restricting document opening from untrusted sources, disabling macros in Office applications, and implementing application whitelisting to prevent unauthorized code execution. Verify patch availability and version numbers against official Microsoft security advisories and update channels.
Patch guidance
Monitor Microsoft's security update releases and official advisories for CVE-2026-45486 patch details. When patches become available, prioritize deployment to systems where Office is used by employees who handle external or untrusted documents. Consider phased rollout testing in a non-production environment first. Organizations using Microsoft 365 may receive automatic updates; verify that auto-update is enabled. For Office 2021 and 2024 perpetual licenses, manual updates or update management tools may be required depending on your deployment model.
Detection guidance
Endpoint detection and response (EDR) solutions should alert on unusual child process creation from Microsoft Word, particularly spawning system utilities (cmd.exe, powershell.exe) or loading suspicious DLLs. Monitor for abnormal memory access patterns within Word processes. Network-based indicators are limited due to the local nature of the vulnerability, but email gateways should flag Office documents with suspicious embedded objects or macro content. Log Office crashes or access violations, which may indicate exploitation attempts. Consider behavioral analysis to detect document-triggered code execution.
Why prioritize this
This vulnerability merits urgent remediation due to its HIGH severity rating, complete system compromise potential, and the ubiquity of Microsoft Office in enterprise environments. The requirement for user interaction is offset by the routine nature of opening documents in business workflows, making exploitation likelihood moderate to high. Organizations should prioritize patching within their standard patch management timelines, treating this as a High-priority fix rather than a lower-criticality security update.
Risk score, explained
The CVSS 3.1 score of 7.8 reflects the high impact (confidentiality, integrity, and availability all compromised) balanced against the local attack vector and user interaction requirement. The use-after-free class of vulnerability (CWE-416) is well-understood by researchers and often enables reliable code execution once a triggering input is crafted. The combination of high exploitability within its constraint model and severe consequences results in a HIGH severity classification.
Frequently asked questions
Does this vulnerability affect web-based or online versions of Office?
CVE-2026-45486 affects Microsoft Office Word installed locally on Windows systems, including Microsoft 365 Apps, Office 2021, and Office 2024. Verify against Microsoft's official advisory whether Office for the web (accessed via browser) is in scope, as web-based Office applications typically have different code paths and may not be vulnerable.
Can this be exploited remotely over the network?
No. The CVSS vector indicates this is a local attack vector (AV:L). An attacker cannot remotely execute code directly; they must first gain local access to a system or trick a user into opening a malicious document. The user interaction requirement means the vulnerability is triggered when a user opens a hostile Office file, not through network protocols.
Are macro-enabled documents required for exploitation?
The vulnerability is a use-after-free in Word's document parsing logic and does not inherently require macros to trigger. However, verify against the vendor advisory whether macros are used in the exploit chain. Disabling macros is a prudent interim control but may not fully mitigate this vulnerability if the flaw exists in non-macro parsing paths.
Is this vulnerability currently being exploited in the wild?
As of the publication date, CVE-2026-45486 is not listed on CISA's Known Exploited Vulnerabilities catalog, indicating no publicly confirmed active exploitation. However, this does not guarantee absence of private or targeted exploitation. Monitor threat intelligence feeds and apply patches promptly upon release.
This analysis is based on publicly disclosed vulnerability data current as of the publication date. Patch version numbers, KEV status, and specific affected product versions should be verified against official Microsoft security advisories and the CISA Known Exploited Vulnerabilities catalog. No exploit code, proof-of-concept, or weaponized attack details are provided. Organizations should conduct their own risk assessment and consult vendor advisories before implementing mitigations. SEC.co does not assume liability for the accuracy or completeness of third-party vendor data. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10000HIGHChrome Sandbox Escape via Use-After-Free in Password Handling
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment
- CVE-2026-10016HIGHUse-After-Free in Chrome DOM – Sandbox Code Execution Vulnerability