HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45458Published Modified CNA microsoft

CVE-2026-45458: Microsoft Outlook and Word Remote Code Execution Vulnerability

Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.

Metrics

CVSS v3.1
8.4
Severity
HIGH
Fixed in
16.0.5556.1000
Affected Products
11

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A type confusion vulnerability in Microsoft Outlook and Word (part of Microsoft Office and Microsoft 365 Apps) allows an unauthenticated attacker with local access to execute arbitrary code on the affected system. The flaw is triggered locally without any user interaction or elevated privileges, meaning any process or shell access to the host is sufficient to reach the vulnerable code path. Successful exploitation gives the attacker full control over the confidentiality, integrity, and availability of the affected system. Patched-image rebuilds at versions 16.0.5556.1000, 16.0.5556.1005, 16.0.10417.20153, and 16.0.19725.20384 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-45458 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication, including custom-built images that bundle Microsoft Office components. Coverage extends to all affected product lines listed in the advisory, from Microsoft 365 Apps for Enterprise through SharePoint Enterprise Server 2016.

Available
Triage

HarborGuard scores this CVE at CVSS 8.4 (HIGH) and makes that score available as the baseline for per-environment compliance policy weighting, so teams that treat local-execution vulnerabilities differently from network-facing ones can apply their own thresholds. Triage routing to the appropriate team inbox within each customer organization is available as part of the standard policy workflow.

Available
Patch

A patched-image rebuild at the fix versions listed in the Microsoft Office Security Releases advisory is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network exposure is required to reach the vulnerable code path.

  • AuthenticationNot required

    No credentials or account of any privilege level are required to trigger the type confusion flaw.

  • Victim interactionNot required

    The vulnerability can be triggered without any action from a logged-in user or other victim on the system.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

  • Reads all files and data accessible to the Office process, including stored credentials, documents, and cached session tokens.
  • Modifies or overwrites files and application data on the host, including Office configuration and persisted user data.
  • Crashes or terminates the affected Office application or dependent services, disrupting availability for the local user.
  • Executes arbitrary code in the security context of the vulnerable process, enabling further lateral movement or persistence on the host.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-45458 is matched against customer images within minutes of publication, covering all affected Microsoft Office product lines identified in the advisory. Where compliance policy permits, a patched-image rebuild at the applicable fix version (16.0.5556.1000, 16.0.5556.1005, 16.0.10417.20153, or 16.0.19725.20384 depending on the product channel) becomes available immediately. For customers with auto-remediation enabled, HarborGuard performs the rebuild, executes a regression run, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments. Because the attack vector is local and requires no authentication, compensating controls for environments that cannot patch immediately include restricting shell and process-level access to hosts running affected Office versions, applying least-privilege execution policies to Office processes, and using egress filtering to limit what a compromised Office process can reach on the network.

See how HarborGuard automates this

Fix available

16.0.5556.100016.0.5556.100516.0.10417.2015316.0.19725.20384https://aka.ms/OfficeSecurityReleases
Patch commits
Affected packages
  • Microsoft / Microsoft 365 Apps for Enterprise
    < https://aka.ms/OfficeSecurityReleases (from 16.0.1)
  • Microsoft / Microsoft Office 2019
    < https://aka.ms/OfficeSecurityReleases (from 19.0.0)
  • Microsoft / Microsoft Office 365 for Mac
    -
  • Microsoft / Microsoft Office LTSC 2021
    < https://aka.ms/OfficeSecurityReleases (from 16.0.1)
  • Microsoft / Microsoft Office LTSC 2024
    < https://aka.ms/OfficeSecurityReleases (from 16.0.0)
  • Microsoft / Microsoft Office LTSC for Mac 2021
    -
  • Microsoft / Microsoft Office LTSC for Mac 2024
    -
  • Microsoft / Microsoft SharePoint Enterprise Server 2016
    < 16.0.5556.1005 (from 16.0.0)
  • Microsoft / Microsoft SharePoint Server 2019
    < 16.0.10417.20153 (from 16.0.0)
  • Microsoft / Microsoft SharePoint Server Subscription Edition
    < 16.0.19725.20384 (from 16.0.0)
  • Microsoft / Microsoft Word 2016
    < 16.0.5556.1000 (from 16.0.1)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References