CVE-2026-45645: Microsoft Office Untrusted Pointer Dereference RCE
CVE-2026-45645 is a high-severity memory safety vulnerability in Microsoft Office that enables local code execution. An attacker who gains access to a user's system can craft a malicious Office document that, when opened by the user, exploits improper pointer handling to run arbitrary code with the privileges of the person viewing the file. This requires user interaction (opening a document) but no special permissions to trigger.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-787, CWE-822
- Affected products
- 13 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-09
NVD description (verbatim)
Untrusted pointer dereference in Microsoft Office allows an unauthorized attacker to execute code locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from untrusted pointer dereference and improper bounds checking in Microsoft Office's document processing logic. When parsing specially crafted Office files, the application fails to validate pointer values before dereferencing them, resulting in an out-of-bounds write condition (CWE-787). Combined with insufficient pointer validation (CWE-822), this allows an attacker to overwrite adjacent memory regions and achieve arbitrary code execution in the context of the Office process.
Business impact
Organizations relying on Microsoft Office face risk of data theft, malware installation, and system compromise through weaponized documents. Since the attack requires only user action—opening a file—social engineering vectors become viable. Compromised endpoints could serve as footholds for lateral movement, particularly in environments where Office users access sensitive systems or maintain network privileges.
Affected systems
This vulnerability affects Microsoft 365 Apps, Office 2016, Office 2019, Office 2021, and Office 2024 across both retail and subscription-based deployments. All modern Office versions released in the past decade remain in scope, making this a broad exposure for most enterprises.
Exploitability
Exploitability is moderate to moderately-high. The attack requires local system access and user interaction (opening a document), which limits opportunistic exploitation. However, the barrier to weaponization is relatively low—crafted documents can be distributed via email or file-sharing services to target specific users. The lack of CISA KEV designation suggests exploitation in the wild is not yet confirmed, but the attack surface and user-centric delivery method make active exploitation likely over time.
Remediation
Apply security patches released by Microsoft for the affected Office versions. Organizations should prioritize patching Office 2016, 2019, 2021, and 2024 installations and Microsoft 365 Apps subscription services. Additionally, implement complementary controls: disable macros by default, block suspicious Office file types at email gateways, and enforce application whitelisting to limit code execution post-compromise.
Patch guidance
Verify patch availability through Microsoft's official security advisory channels and your organization's patch management system. For Microsoft 365 Apps, ensure automatic updates are enabled; for perpetual Office licenses (2016, 2019, 2021, 2024), obtain and deploy cumulative security updates from Windows Update or the Microsoft Update Catalog. Test patches in a non-production environment first to confirm compatibility with critical workflows.
Detection guidance
Monitor for anomalous Office process behavior: unexpected child process spawning, unusual network connections from Office processes, or suspicious memory writes. Endpoint Detection and Response (EDR) tools should flag attempts to execute code from Office temporary directories or suspicious API calls associated with memory manipulation. Network detection can identify malicious Office documents traversing email or file-sharing channels by examining document metadata and structure anomalies.
Why prioritize this
CVE-2026-45645 merits prompt attention due to its CVSS 7.8 (HIGH) rating, broad product coverage across Office generations, and reliance on user interaction that adversaries can facilitate through social engineering. While not yet in the CISA KEV catalog, the combination of high severity, mature attack surface, and ease of weaponization makes it a priority for patching within 30 days.
Risk score, explained
The CVSS 3.1 score of 7.8 reflects high impact (confidentiality, integrity, and availability all compromised), local attack vector, low complexity, no privileges required, and required user interaction. The score appropriately captures the severity of arbitrary code execution balanced against the requirement for local access and social engineering to succeed.
Frequently asked questions
Can this vulnerability be exploited remotely over the network?
No. CVE-2026-45645 requires local access to the system and user interaction. However, attackers can achieve local access through other means (phishing for credentials, lateral movement) and then exploit this vulnerability. The 'local' requirement does not minimize risk in multi-user or compromised network environments.
Do we need to disable Office entirely to stay safe?
No. Disabling Office is not a practical or necessary remediation. Instead, apply patches promptly, configure email gateways to block suspicious Office file types, disable macros by default in Office settings, and educate users about opening unexpected documents from untrusted sources.
Will our antivirus or EDR tool prevent this attack?
Modern EDR solutions may detect exploitation attempts through behavioral analysis—for example, unusual Office process spawning or memory access patterns. However, antivirus alone cannot reliably block a zero-day or N-day weaponized Office document. Layered defenses (patching, EDR, email filtering, user training) are most effective.
Is this vulnerability actively exploited in the wild?
As of the published date, this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. However, the lack of public confirmation does not guarantee absence of exploitation. Assume adversaries may develop exploits and prioritize patching accordingly.
This analysis is provided for informational purposes and based on the CVE data available as of the publish date. Security teams should verify all patch versions, vendor advisories, and deployment timelines with Microsoft's official security guidance. Exploitability, prevalence, and remediation timelines may change as new information emerges. This explainer does not constitute professional security advice; consult with your organization's security team and vendors before taking action. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10883HIGHType Confusion in Chrome ANGLE Graphics Library
- CVE-2026-10897HIGHCritical Chrome GPU Sandbox Escape Vulnerability
- CVE-2026-10907HIGHChrome ANGLE Out-of-Bounds Write – Remote Code Execution Risk
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-11091HIGHCritical Chrome Memory Corruption Vulnerability in Dawn Graphics Engine
- CVE-2026-11173HIGHChrome V8 Out-of-Bounds Write Sandbox Escape – Patch Guidance
- CVE-2026-42909HIGHMicrosoft Remote Desktop Client Race Condition Remote Code Execution
- CVE-2026-42910HIGHWindows Hotpatch Monitoring Service Privilege Escalation Vulnerability