Description
Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Published: 2026-06-09
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Microsoft Word for Mac has a flaw where an untrusted pointer is dereferenced during document processing, allowing an attacker to cause arbitrary local code execution. This is a classic out‑of‑bounds read vulnerability (CWE‑125) that can be triggered by crafted input data. The consequences are complete compromise of the affected machine, allowing the attacker to execute arbitrary code with the privileges of the user running Word.

Affected Systems

The vulnerability affects Microsoft 365 Apps for Enterprise, Microsoft Office 365 for Mac, Microsoft Office LTSC for Mac 2021, and Microsoft Office LTSC for Mac 2024. The CNA does not list specific version ranges, indicating that all current releases of these products are potentially affected until a fix is applied.

Risk and Exploitability

The CVSS score of 7.8 signals a high severity, and while the EPSS score is not available, the lack of a KEV listing suggests the vulnerability has not yet been widely exploited in the wild. The most likely attack path is an attacker delivering a malicious Word document to a user, who must open the file for the exploit to succeed. Once triggered, the attacker can execute code with the user's access rights, potentially escalating privileges to system level. The vulnerability remains a significant risk to any environment where users can open Word documents from external or untrusted sources.

Generated by OpenCVE AI on June 9, 2026 at 19:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft Office security update that addresses CVE-2026-45457
  • Avoid opening Word documents and attachments from unknown or suspicious sources
  • Configure Word macro settings to disable macros by default and only enable them for trusted documents
  • Maintain up‑to‑date antivirus and endpoint protection solutions to detect and block malicious content

Generated by OpenCVE AI on June 9, 2026 at 19:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Title Microsoft Word Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office 365
Microsoft office Macos 2021
Microsoft office Macos 2024
Weaknesses CWE-125
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office_365:*:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office 365
Microsoft office Macos 2021
Microsoft office Macos 2024
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Office 365 Office Macos 2021 Office Macos 2024
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-10T03:57:26.424Z

Reserved: 2026-05-12T16:06:43.097Z

Link: CVE-2026-45457

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:19.937

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-45457

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T21:45:05Z

Weaknesses