Description
Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.
Published: 2026-06-09
Score: 4.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds memory read in certain Microsoft Office components enables a local attacker to access sensitive data stored in process memory. The vulnerability is classified as CWE‑126 (Buffer Overread) and grants the attacker the ability to exfiltrate confidential information with no remote interaction required.

Affected Systems

The flaw affects multiple Office products, including Microsoft 365 Apps for Enterprise, Office 2019, Office 365 for Mac, the LTSC 2021 and LTSC 2024 releases, the LTSC for Mac 2021 and LTSC for Mac 2024 editions, and the Office for Android application. The CVE entry does not list specific sub‑versions or build numbers, so all current releases of the mentioned products are potentially impacted.

Risk and Exploitability

The CVSS score of 4.7 indicates low severity, and the EPSS score is not available. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires local access to the target system; a user or process with privileges sufficient to load Office documents can trigger the out‑of‑bounds read. Attackers can thus potentially read and disclose data that resides in Office’s memory space.

Generated by OpenCVE AI on June 9, 2026 at 19:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Office security update that addresses CVE-2026-45460 via Microsoft Update or the security bulletin referenced at the Microsoft Security Response Center link.
  • Ensure the update is deployed to all affected endpoints using the organization’s managed update solution.
  • For Android devices, confirm that the Office app is updated to the latest version available on Google Play to provide the same mitigation.

Generated by OpenCVE AI on June 9, 2026 at 19:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.
Title Microsoft Office Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office 365
Microsoft office Macos 2021
Microsoft office Macos 2024
Weaknesses CWE-126
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office:*:*:android:*:*:*:*:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_365:*:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office 365
Microsoft office Macos 2021
Microsoft office Macos 2024
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Office Office 2019 Office 2021 Office 2024 Office 365 Office Macos 2021 Office Macos 2024
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T21:49:53.805Z

Reserved: 2026-05-12T16:06:43.097Z

Link: CVE-2026-45460

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:20.323

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-45460

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T21:00:07Z

Weaknesses