Description
Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network.
Published: 2026-06-09
Score: 3.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds read within Microsoft Excel permits an attacker who can trigger the vulnerability to read data from memory that should not be exposed. The consequence is that sensitive data may be disclosed over a network to the attacker, potentially leaking confidential information. The weakness is identified as CWE‑125, which describes an attempt to read past an array’s bounds, leading to unauthorized data exposure.

Affected Systems

Affected are Microsoft 365 Apps for Enterprise, Microsoft Excel 2016, Microsoft Office 2019, Microsoft Office 365 for Mac, Microsoft Office LTSC 2021 and 2024, Microsoft Office LTSC for Mac 2021 and 2024, and Office Online Server. Specific version ranges are not provided in the advisory, meaning any installation of the listed products could be vulnerable if not patched.

Risk and Exploitability

The CVSS score of 3.3 classifies this vulnerability as low severity. No EPSS score is available, so the probability of exploitation is uncertain, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a network‑based local attacker who can cause or influence the vulnerable read operation, which suggests that the threat is mainly local or internal to the network. The impact is limited to information disclosure; there is no evidence of escalation, execution, or denial of service.

Generated by OpenCVE AI on June 9, 2026 at 19:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft security update that addresses CVE‑2026‑45455 to all affected Office products
  • Monitor logs for unauthorized read attempts or anomalous network traffic that could indicate exploitation attempts
  • Restrict network access to Excel services by configuring firewall rules or network segmentation, ensuring only authorized users or devices can reach vulnerable components

Generated by OpenCVE AI on June 9, 2026 at 19:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network.
Title Microsoft Excel Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft excel 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office 365
Microsoft office Macos 2021
Microsoft office Macos 2024
Weaknesses CWE-125
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:excel_2016:*:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:ltsc:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_365:*:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft excel 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office 365
Microsoft office Macos 2021
Microsoft office Macos 2024
References
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Excel 2016 Office 2019 Office 2021 Office 2024 Office 365 Office Macos 2021 Office Macos 2024
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T21:50:37.551Z

Reserved: 2026-05-12T16:06:43.097Z

Link: CVE-2026-45455

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:19.660

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-45455

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:00:19Z

Weaknesses