CVE-2026-45643: Microsoft Office Word Pointer Dereference RCE Vulnerability
Microsoft Office Word contains a vulnerability where untrusted data is dereferenced as a pointer without proper validation, allowing an attacker to execute arbitrary code on a system where Word is installed. The attack requires user interaction—specifically opening a malicious document—but does not require elevated privileges. This is a local code execution issue affecting multiple versions of Microsoft Office and Microsoft 365 Apps.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-822
- Affected products
- 9 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-19
NVD description (verbatim)
Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45643 is a pointer dereference vulnerability (CWE-822) in Microsoft Office Word. The vulnerability stems from insufficient validation of pointer references when processing document content. An attacker can craft a malicious Office document that, when opened by a user, causes Word to dereference an attacker-controlled pointer, leading to arbitrary code execution in the context of the user running Word. The low attack complexity and requirement for user interaction (opening a document) make this a practical attack vector in phishing or drive-by download scenarios.
Business impact
This vulnerability poses a significant risk to organizations where Office documents are regularly exchanged, particularly for sectors handling sensitive data. Compromised endpoints can lead to lateral movement, data exfiltration, or deployment of secondary malware. The requirement for user interaction means security awareness training and email gateway controls are critical mitigations. In supply-chain scenarios, trusted contacts sending malicious documents could bypass traditional perimeter defenses. Organizations should treat this as a high-priority threat requiring rapid remediation.
Affected systems
The vulnerability affects Microsoft Office 2021, Microsoft Office 2024, and Microsoft 365 Apps across all supported platforms where Word is deployed. Both subscription-based (Microsoft 365) and perpetual-license (Office 2021/2024) installations are vulnerable. Organizations should verify exact patched version availability from Microsoft's official security bulletins, as patch timelines may vary by product variant and update channel.
Exploitability
Exploitation requires creating a malicious Office document and delivering it to a target user, then relying on the user to open it. No special system privileges are needed on the attacker side, and the attack succeeds against standard user accounts. The CVSS vector (AV:L/AC:L/PR:N/UI:R) reflects that while local access and user interaction are required, the barriers to exploitation are low. Active exploitation is not currently reported in the KEV catalog, but the technical simplicity suggests a moderate risk of public exploitation once proof-of-concept details circulate.
Remediation
Apply security updates from Microsoft addressing CVE-2026-45643 to all affected Office and Microsoft 365 Apps installations. Organizations using Microsoft 365 Apps with automatic updates should confirm deployments have completed. Those on Office 2021 or 2024 should consult Microsoft's security update guidance for patch version numbers and KB article references. Interim measures include disabling macros by default, blocking Office documents from untrusted senders at the email gateway, and enforcing application whitelisting on high-risk systems.
Patch guidance
Check Microsoft's official security advisories and update portals for the specific patched version numbers for your Office product and version. Microsoft 365 Apps users should verify automatic updates have deployed; manual checks can be performed via File > Account > Update Options. Office 2021 and Office 2024 users must obtain patches through Windows Update or the Microsoft Download Center. Test patches in a non-production environment first, particularly if your organization uses Office add-ins or legacy macros that may be affected.
Detection guidance
Monitor for Word process crashes or unexpected termination when processing documents from untrusted sources. Endpoint detection and response (EDR) solutions should flag unusual memory access patterns, pointer dereference anomalies, or suspicious process spawning from winword.exe. Email security systems should scan for known malicious document signatures and apply sandboxing to high-risk attachments. Organizations using Windows Defender or third-party antivirus should ensure signature databases are current. Log failed document open events and crashes for forensic analysis.
Why prioritize this
A CVSS score of 7.8 (HIGH) combined with the document-based attack vector means this vulnerability should be remediated ahead of lower-severity issues. The lack of KEV listing does not minimize urgency; it reflects the current state as of the publication date and may change. The human element (user interaction) is a weakness in the attack chain, making user education valuable alongside patching. Organizations with strong email controls and security-aware users face lower risk than those with weak perimeter defenses.
Risk score, explained
The 7.8 CVSS score reflects a high-severity local code execution vulnerability with low attack complexity and no privilege requirements. The High impact rating covers confidentiality, integrity, and availability—an attacker executing code can read files, modify data, or disable systems. The requirement for local access and user interaction prevents a Critical rating. For most organizations, this maps to a high-priority patch window measured in days to weeks, not months.
Frequently asked questions
Do I need elevated privileges to exploit this vulnerability?
No. The CVSS vector (PR:N) indicates no privileges are required. A standard user account opening a malicious Word document is sufficient. However, the attacker cannot exploit the flaw remotely—they must deliver a document to a user who opens it.
If Word crashes after opening a malicious document, does that mean I was attacked?
Not necessarily. A crash alone does not confirm exploitation; Word crashes for many reasons. However, unusual crashes combined with suspicious process activity, unexpected network connections, or file modifications warrant investigation. Enable logging and review EDR alerts for confirmation.
Will auto-updating Microsoft 365 Apps protect me automatically?
Users with automatic updates enabled should receive the patch automatically. However, verify your update settings (File > Account > Update Options) and confirm the patch is deployed on all systems. Organizations with managed deployments should push updates centrally rather than relying on user-level settings.
Can I disable this vulnerability without patching?
Patching is the recommended fix. Interim controls include disabling macros, blocking Office attachments from external senders at the email gateway, and enforcing application controls. However, these are defense-in-depth measures, not substitutes for patching. Aim to patch within two weeks of patch availability.
This analysis is based on vulnerability data published as of June 2026. Patch availability, KEV listing status, and active exploitation may change. Verify all patch version numbers and release dates against Microsoft's official security bulletins before deployment. This page does not constitute legal or regulatory advice. Organizations should align remediation with their own risk management frameworks and compliance obligations. No exploit code, weaponized proof-of-concept, or step-by-step attack instructions are provided herein. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-45471HIGHMicrosoft Office Word Pointer Dereference Vulnerability (CVSS 7.8)
- CVE-2026-45645HIGHMicrosoft Office Untrusted Pointer Dereference RCE
- CVE-2026-44805MEDIUMWindows Network Controller Host Agent Use-After-Free DoS Vulnerability
- CVE-2026-10000HIGHChrome Sandbox Escape via Use-After-Free in Password Handling
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10006HIGHChrome WebAudio Race Condition Remote Code Execution