HIGH 8.4

CVE-2026-47635: Microsoft Office 2024 Heap Overflow Remote Code Execution

A heap-based buffer overflow vulnerability exists in Microsoft Office 2024 that allows an attacker with local access to execute arbitrary code with the privileges of the user running Office. The vulnerability requires no user interaction or special privileges to trigger, making it a direct local code execution risk for anyone with system access to an affected machine.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.4 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-122
Affected products
2 configuration(s)
Published / Modified
2026-06-09 / 2026-07-09

NVD description (verbatim)

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-47635 is a heap-based buffer overflow (CWE-122) in Microsoft Office 2024. The vulnerability stems from improper memory management when processing specific input, enabling an attacker to overflow a heap buffer and overwrite adjacent memory structures. This memory corruption can be leveraged to achieve arbitrary code execution in the context of the Office application. The attack vector is local, requires no user interaction, and no special privileges—meaning any user with command-line or local file access can potentially trigger the vulnerability without social engineering.

Business impact

This vulnerability poses a significant local privilege escalation and lateral movement risk. An attacker who compromises a user account or gains temporary local access could execute malicious code with the privileges of the Office process. In enterprise environments, this creates a pathway for ransomware deployment, data exfiltration, and persistence mechanisms. Organizations relying on Office for business-critical workflows face operational disruption and potential compliance violations if data is compromised. The ease of exploitation (no user interaction required) makes this a priority remediation target.

Affected systems

Microsoft Office 2024 is confirmed vulnerable. Organizations running this version across Windows environments should assume all instances are at risk. Legacy or non-standard Office deployments should be verified against the vendor's official compatibility matrix to confirm scope. Users on earlier Office versions (2019, 2021, subscription variants) should consult Microsoft's security advisory to determine if patches are applicable to their specific builds.

Exploitability

The vulnerability has a high exploitability profile: local access is required, but no authentication or user interaction is needed. The CVSS vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:N) reflects this. An attacker with shell access, physical access to an unlocked machine, or the ability to execute files through a prior compromise can trigger the overflow. The barrier to exploitation is low for anyone already inside the security perimeter. The vulnerability is not currently tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog, but this does not indicate the absence of active exploitation attempts.

Remediation

Apply the security update released by Microsoft for Office 2024 as soon as operationally feasible. Patch deployment should be prioritized for machines handling sensitive data, administrative workstations, and systems exposed to untrusted users. Complementary controls include restricting local access through host-based firewalls, disabling unnecessary Office macros and plugins, and enforcing endpoint detection and response (EDR) tools to monitor for suspicious Office process behavior. For environments unable to patch immediately, consider disabling or isolating the most frequently exploited Office features if business operations allow.

Patch guidance

Consult Microsoft's official security advisory for CVE-2026-47635 to obtain the specific patch version and deployment timeline. Microsoft typically releases patches on monthly Patch Tuesday cycles; verify the exact update KB number and whether it applies to your Office deployment model (MSI, Click-to-Run, Microsoft 365 subscription). Test patches in a non-production environment first, especially in environments with custom Office add-ins or legacy integrations. Enable automatic updates where possible to reduce time-to-patch for future vulnerabilities.

Detection guidance

Monitor for heap corruption crashes or anomalous termination of Office processes (WINWORD.exe, EXCEL.exe, POWERPNT.exe, etc.). EDR and security analytics platforms should alert on suspicious Office child processes, especially those spawning command shells or writing to system directories. Heap spray techniques or unusual memory access patterns may be visible in kernel-level telemetry. Network-based detection is limited for this local vulnerability, but monitor for post-exploitation command-and-control traffic that may follow successful code execution. Correlate Office crashes with file activity to identify suspicious document or input sources.

Why prioritize this

This vulnerability merits immediate remediation due to its CVSS 8.4 severity, local code execution impact, and low barrier to exploitation. The absence of user interaction and privilege requirements makes it exploitable by a broad category of attackers, including disgruntled insiders and threat actors who have gained initial access. The ubiquity of Office in enterprise environments amplifies risk. Although not yet in the KEV catalog, the combination of ease-of-exploitation and high impact suggests active exploitation attempts are plausible. Organizations should treat this as a tier-one patch priority.

Risk score, explained

The CVSS 3.1 score of 8.4 (HIGH) reflects a vulnerability with local attack vector, low attack complexity, no privilege or user interaction requirements, and unrestricted confidentiality, integrity, and availability impact. While the attack vector is local rather than network-based (which would elevate the score further), the complete absence of exploitation barriers—coupled with Office's pervasive deployment—justifies rapid remediation. The HIGH severity correctly signals a critical business risk in most enterprise contexts.

Frequently asked questions

Do I need to worry about this if Office is not used on my network?

No. If Microsoft Office 2024 is not deployed in your environment, this vulnerability does not directly affect you. However, ensure your asset inventory is accurate; Office may exist on machines not explicitly managed by IT (personal devices with VPN access, contractor machines, etc.). If Office 2024 is present, remediation is necessary.

Will a firewall rule protect me from this vulnerability?

Not entirely. Because the vulnerability requires local access and no network interaction, traditional network firewalls cannot block it. Host-based access controls (restricting who can log into machines), endpoint detection and response (EDR) tools, and process isolation are more effective. A network firewall will not prevent an attacker already on your network from exploiting it.

Is this vulnerability being actively exploited in the wild?

The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. However, KEV inclusion typically lags behind actual exploitation by weeks or months. Given the ease of exploitation and high-value nature of Office environments, assume active exploitation attempts are possible and patch accordingly.

What if I cannot patch immediately due to business constraints?

Implement compensating controls: restrict user access to machines running Office 2024, disable or isolate high-risk Office features (macros, add-ins, external connections), enforce EDR monitoring to detect exploitation attempts, and increase logging of Office process behavior. These measures reduce but do not eliminate risk; patch as soon as operationally feasible.

This analysis is based on publicly disclosed vulnerability data and the CVSS vector provided. Actual exploitability, prevalence, and remediation timelines may vary by organization and configuration. Consult Microsoft's official security advisory for definitive patch information, compatibility details, and supported versions. SEC.co does not provide warranty regarding patch efficacy or compatibility with custom Office deployments. Organizations should validate all patches in non-production environments before wide-scale deployment. This document does not constitute legal, compliance, or procurement advice. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).