Description
Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
Published: 2026-06-09
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap‑based buffer overflow in Microsoft Office allows an unauthorized attacker to execute arbitrary code within the context of the user’s session. The vulnerability can be triggered by opening a specially crafted document file, resulting in loss of confidentiality, integrity, or availability for the affected user and potentially the entire system.

Affected Systems

Affecting Microsoft 365 Apps for Enterprise, Microsoft Office 2016, Microsoft Office 2019, Microsoft Office 365 for Mac, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC for Mac 2024, and Microsoft Office for Android with no specific versions listed.

Risk and Exploitability

The CVSS score of 8.4 indicates a high severity vulnerability; no EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog. Likely attack vector is local, requiring the attacker to supply a malicious file that a user opens. While user interaction is needed, the impact is significant due to the potential for arbitrary code execution.

Generated by OpenCVE AI on June 9, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft security update for CVE-2026-45472 from the Microsoft Security Update Guide
  • Restrict access to untrusted documents and prevent users from opening unknown files until the update is applied
  • Configure Office to disable macros from unknown sources as an additional protection measure

Generated by OpenCVE AI on June 9, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
Title Microsoft Office Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office
Microsoft office 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office 365
Microsoft office Macos 2021
Microsoft office Macos 2024
Weaknesses CWE-416
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office:*:*:android:*:*:*:*:*
cpe:2.3:a:microsoft:office_2016:*:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_365:*:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office
Microsoft office 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office 365
Microsoft office Macos 2021
Microsoft office Macos 2024
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Office Office 2016 Office 2019 Office 2021 Office 2024 Office 365 Office Macos 2021 Office Macos 2024
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T21:49:38.776Z

Reserved: 2026-05-12T16:06:43.099Z

Link: CVE-2026-45472

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:21.740

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-45472

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T19:30:12Z

Weaknesses