Description
Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.
Published: 2026-06-09
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker who can trigger a type confusion condition in Microsoft Office products can cause the application to treat data of one type as another. This flaw permits the execution of arbitrary code locally on the target machine. The failure arises because the software fails to validate that a resource is of the expected type before accessing it.

Affected Systems

Affected products include Microsoft 365 Apps for Enterprise, Microsoft Office 2019, Office 2021, Office 2024, Microsoft Office 365 for Mac, Office LTSC 2021 and LTSC 2024, Office LTSC for Mac 2021 and LTSC for Mac 2024, Microsoft SharePoint Enterprise Server 2016, SharePoint Server 2019, SharePoint Server Subscription Edition, and Microsoft Word 2016. No specific version ranges are listed in the CNA data, so all current releases of these products are potentially vulnerable until a patch is applied.

Risk and Exploitability

The vulnerability receives a CVSS score of 8.4, indicating high severity. No EPSS score is available, so the exploitation probability cannot be quantified at this time. The flaw is not listed in the CISA KEV catalog. Because the attack requires the ability to supply data that is interpreted as an incompatible type, the attack vector is likely a crafted document opened within the affected Office application. Multiple product lines are affected, increasing the potential impact across enterprise environments.

Generated by OpenCVE AI on June 9, 2026 at 19:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the update for Microsoft Office products referenced in the Microsoft Security Response Center update guide for CVE‑2026‑45456.
  • Configure automatic updates so that future patches are received without manual intervention.
  • Restrict macro and content file execution by setting application security settings to ‘Disable all macros with notification’ and reviewing trusted document locations.
  • If a patch cannot be applied immediately, consider disabling the affected Office components on high‑risk endpoints or isolating those systems from external networks.

Generated by OpenCVE AI on June 9, 2026 at 19:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.
Title Microsoft Outlook and Word Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office 365
Microsoft office Macos 2021
Microsoft office Macos 2024
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Microsoft word 2016
Weaknesses CWE-843
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_365:*:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:word_2016:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office 365
Microsoft office Macos 2021
Microsoft office Macos 2024
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Microsoft word 2016
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Office 2019 Office 2021 Office 2024 Office 365 Office Macos 2021 Office Macos 2024 Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019 Word 2016
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-10T03:56:16.696Z

Reserved: 2026-05-12T16:06:43.097Z

Link: CVE-2026-45456

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:19.790

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-45456

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T03:15:20Z

Weaknesses