Description
Use after free in Microsoft Office Click-To-Run allows an authorized attacker to elevate privileges locally.
Published: 2026-06-09
Score: 7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw in Microsoft Office Click‑To‑Run permits a local, authorised attacker to gain higher privileges. The flaw, classified as CWE‑416, allows the attacker to access functions or resources reserved for privileged users, potentially enabling further exploitation of the system.

Affected Systems

The vulnerability affects Microsoft 365 Apps for Enterprise, Microsoft Office 2019, Microsoft Office LTSC 2021, and Microsoft Office LTSC 2024.

Risk and Exploitability

With a CVSS score of 7, the vulnerability presents a high‑severity concern for local users. Exploitation requires the attacker to have a user account on the machine and the ability to interact with the Office client, meaning a local attack vector is inferred. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that it has not yet been widely observed in the wild but could still be exploited in targeted scenarios.

Generated by OpenCVE AI on June 9, 2026 at 19:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Microsoft Office updates and service packs to remove the use‑after‑free flaw
  • If Click‑To‑Run is not required, disable the feature via group policy or install the MSI‑based Office version
  • Limit local user privileges and enforce least‑privilege practices to reduce the impact of any remaining vulnerabilities

Generated by OpenCVE AI on June 9, 2026 at 19:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Use after free in Microsoft Office Click-To-Run allows an authorized attacker to elevate privileges locally.
Title Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Weaknesses CWE-416
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Office 2019 Office 2021 Office 2024
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T21:50:59.651Z

Reserved: 2026-05-18T23:53:33.897Z

Link: CVE-2026-47293

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:34.927

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-47293

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T22:30:14Z

Weaknesses