Description
Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Published: 2026-06-09
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Microsoft Office Word contains an untrusted pointer dereference that allows an unauthorized user to execute code locally when a specially crafted document is opened. The flaw, categorized as CWE-822, creates a vulnerability for arbitrary code injection at the application level, potentially allowing an attacker to run malicious binaries, steal information, or modify system state with the privileges of the logged‑in user.

Affected Systems

The affected platforms include Microsoft 365 Apps for Enterprise, Microsoft Office 365 for Mac, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021, and Microsoft Office LTSC for Mac 2024. Versions of these products prior to the issuance of the official patch are susceptible.

Risk and Exploitability

The CVSS score of 7.8 indicates a high risk of local compromise, while the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Because the attack requires local user access to a document, the attack vector is likely local (or remote if the file can be delivered via remote desktop, email, or shared network). Given its severity, attackers who can obtain or trick a user into opening a malicious file have a feasible path to arbitrary code execution.

Generated by OpenCVE AI on June 9, 2026 at 19:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Microsoft Office updates that address the pointer dereference issue.
  • Ensure automatic updates are enabled for Microsoft Office to receive future security patches promptly.
  • Implement application control (e.g., Windows Defender AppLocker or SmartScreen) to restrict execution of untrusted code in Office documents.

Generated by OpenCVE AI on June 9, 2026 at 19:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Title Microsoft Word Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office 2021
Microsoft office 2024
Microsoft office 365
Microsoft office Macos 2021
Microsoft office Macos 2024
Weaknesses CWE-822
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_365:*:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office 2021
Microsoft office 2024
Microsoft office 365
Microsoft office Macos 2021
Microsoft office Macos 2024
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Office 2021 Office 2024 Office 365 Office Macos 2021 Office Macos 2024
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-10T03:57:24.207Z

Reserved: 2026-05-12T20:33:35.156Z

Link: CVE-2026-45643

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:31.410

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-45643

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:00:19Z

Weaknesses