Description
Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
Published: 2026-06-09
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a heap-based buffer overflow in Microsoft Office that permits an attacker to execute arbitrary code locally on the victim’s system, potentially compromising confidentiality, integrity, and availability. This flaw correlates with CWE-416,"Use After Free", indicating that improper memory management can lead to code execution. Abuse of the overflow could allow full system compromise in the hands of a skilled attacker.

Affected Systems

Microsoft 365 Apps for Enterprise, Microsoft Office 2016, Microsoft Office 2019, Microsoft Office 365 for Mac, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC for Mac 2024, and Microsoft Office for Android.

Risk and Exploitability

The CVSS score of 8.4 indicates a high severity. EPSS is not available, but the absence of a KEV listing does not reduce the risk; the vulnerability remains exploitably far from common public exposure. Attackers are likely to use a malicious document or file that the user opens or that is processed automatically by Office; a local, authenticated user can trigger the overflow and run code with the Office process’s privileges. No active exploit has been publicly reported, but the high severity warrants immediate attention.

Generated by OpenCVE AI on June 9, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft Office security update immediately via Windows Update, Office 365 update channels, or the Office for Mac update mechanism.
  • Configure email and network security controls to filter or block Office document attachments unless verified as safe; consider disabling automatic opening of attachments that could trigger the vulnerability.
  • Enforce least-privilege usage for Office applications by restricting user permissions and disabling macro support where possible to limit the impact of potential exploitation.

Generated by OpenCVE AI on June 9, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
Title Microsoft Office Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office
Microsoft office 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office 365
Microsoft office Macos 2021
Microsoft office Macos 2024
Weaknesses CWE-416
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office:*:*:android:*:*:*:*:*
cpe:2.3:a:microsoft:office_2016:*:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_365:*:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office
Microsoft office 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office 365
Microsoft office Macos 2021
Microsoft office Macos 2024
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Office Office 2016 Office 2019 Office 2021 Office 2024 Office 365 Office Macos 2021 Office Macos 2024
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T21:49:40.300Z

Reserved: 2026-05-12T16:06:43.099Z

Link: CVE-2026-45474

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:21.877

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-45474

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T19:30:12Z

Weaknesses