CVE-2026-45456: Microsoft Outlook and Word Remote Code Execution Vulnerability
Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.
Metrics
- CVSS v3.1
- 8.4
- Severity
- HIGH
- Fixed in
- 16.0.5556.1000
- Affected Products
- 11
HarborGuard Analysis
Synopsis
A type confusion vulnerability in Microsoft Office (including Microsoft 365 Apps for Enterprise, Office 2019, Office LTSC 2021, Office LTSC 2024, and SharePoint Enterprise Server 2016) allows an attacker with an existing foothold on the host to execute arbitrary code locally. The CVSS vector shows no network exposure and no authentication requirement, meaning the attacker exploits a malformed file or in-process operation that triggers the type mismatch directly on the machine. Successful exploitation gives the attacker full code execution with the ability to read, modify, or destroy data and crash the affected application. Patched-image rebuilds at the applicable fix versions are available on HarborGuard for environments running affected versions.
HarborGuard Coverage
Detection of CVE-2026-45456 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Microsoft Office components. Any image whose installed Office package version falls below the fix thresholds is flagged automatically.
AvailableHarborGuard surfaces this CVE with its CVSS 3.1 score of 8.4 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Findings are delivered to the inbox or ticketing integration configured for the relevant team inside each customer organization.
AvailablePatched-image rebuilds pinned to the applicable fix versions (16.0.5556.1000, 16.0.5556.1005, 16.0.10417.20153, 16.0.19725.20384, or the version resolved from the Microsoft Office Security Releases URL for Mac and SharePoint variants) are available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attack vector is Local (AV:L), so the attacker needs an existing shell or process on the host rather than any network path to the service.
- AuthenticationNot required
No privileges are required (PR:N), meaning the attacker does not need any account or credential on the target system.
- Victim interactionNot required
No user interaction is required (UI:N), so the attacker does not need to socially engineer a victim into opening a file or clicking a link.
- Attack complexityDetail
Attack complexity is Low (AC:L), meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.
Blast Radius
- The attacker executes arbitrary code in the context of the Office process, reading any files or secrets accessible to that process, including locally cached credentials and document contents.
- The attacker modifies or overwrites files and data accessible to the compromised process, including documents, templates, and application data on the host.
- The attacker terminates or crashes the affected Office application, disrupting availability for the user session.
- Because all three CVSS impact scores are High (C:H/I:H/A:H), the attacker achieves full control over the confidentiality, integrity, and availability of resources within the process scope.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-45456 is active and matches against any image that packages an affected version of Microsoft Office, including custom enterprise base images. For environments running affected versions (Microsoft 365 Apps for Enterprise, Office 2019, Office LTSC 2021, Office LTSC 2024, SharePoint Enterprise Server 2016 below 16.0.5556.1005, and the corresponding Mac LTSC builds), a patched rebuild at the appropriate fix version is available. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, runs the regression test suite, and opens a pull request against the affected workload; for HIGH-severity issues, the median time from CVE publication to merged patch PR in auto-remediation-enabled environments is around 90 minutes. For environments where auto-remediation is not enabled, the finding is routed to the configured team inbox with the full CVSS context and fix-version detail so engineers can act immediately.
Fix available
- Microsoft / Microsoft 365 Apps for Enterprise< https://aka.ms/OfficeSecurityReleases (from 16.0.1)
- Microsoft / Microsoft Office 2019< https://aka.ms/OfficeSecurityReleases (from 19.0.0)
- Microsoft / Microsoft Office 365 for Mac-
- Microsoft / Microsoft Office LTSC 2021< https://aka.ms/OfficeSecurityReleases (from 16.0.1)
- Microsoft / Microsoft Office LTSC 2024< https://aka.ms/OfficeSecurityReleases (from 16.0.0)
- Microsoft / Microsoft Office LTSC for Mac 2021-
- Microsoft / Microsoft Office LTSC for Mac 2024-
- Microsoft / Microsoft SharePoint Enterprise Server 2016< 16.0.5556.1005 (from 16.0.0)
- Microsoft / Microsoft SharePoint Server 2019< 16.0.10417.20153 (from 16.0.0)
- Microsoft / Microsoft SharePoint Server Subscription Edition< 16.0.19725.20384 (from 16.0.0)
- Microsoft / Microsoft Word 2016< 16.0.5556.1000 (from 16.0.1)
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C