HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45463Published Modified CNA microsoft

CVE-2026-45463: Microsoft Office Remote Code Execution Vulnerability

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.

Metrics

CVSS v3.1
8.4
Severity
HIGH
Fixed in
16.0.5556.1005
Affected Products
9

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Heap-based buffer overflow in Microsoft Office allows an attacker with local access to execute arbitrary code on the affected system. The vulnerability is reached locally without authentication or user interaction, as described by the CVSS vector (AV:L/PR:N/UI:N). Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected system. A patched-image rebuild at version 16.0.5556.1005 (and equivalent channel releases) is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-45463 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication, including custom-built images that bundle Microsoft Office components. Coverage extends to all images in connected registries and CI/CD pipelines.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 8.4 (HIGH) and weighting it against each environment's compliance policy to determine priority. Triage routing routes findings to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild targeting the fixed release (16.0.5556.1005 for Office 2016; the corresponding channel update for 365 and LTSC editions) is available on HarborGuard for affected environments. For customers who opt into auto-remediation, the platform performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network path to the vulnerable service is required.

  • AuthenticationNot required

    No account or credential is needed to trigger the overflow; the attacker requires only local execution capability.

  • Victim interactionNot required

    No user action such as opening a file or clicking a link is required for exploitation.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental pre-conditions beyond local access.

Blast Radius

  • Reads any file accessible to the Office process, including stored credentials, documents, and application data.
  • Writes or modifies files and registry entries accessible to the process, enabling persistence or data tampering.
  • Crashes or destabilizes the affected Office application or dependent services, disrupting availability.
  • Executes arbitrary code in the context of the running user, which on a typical enterprise desktop may carry broad local privileges.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication, matching against all images in connected registries and pipelines that include affected Microsoft Office builds. For environments running Microsoft Office 2016 prior to 16.0.5556.1005, or any 365/LTSC edition prior to the release referenced at aka.ms/OfficeSecurityReleases, a rebuilt image at the patched version is available. For customers who opt into auto-remediation, HarborGuard performs the patched rebuild, executes the configured regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy flags this as critical-path, the finding is routed to the designated owner inbox automatically. Note that several affected product variants (Office for Mac editions, Office for Android) do not carry a specific version pin in the advisory; HarborGuard re-checks the upstream advisory each ingest cycle and will surface a rebuild as soon as Microsoft publishes version-specific fix metadata for those variants.

See how HarborGuard automates this

Fix available

16.0.5556.1005https://aka.ms/OfficeSecurityReleases
Patch commits
Affected packages
  • Microsoft / Microsoft 365 Apps for Enterprise
    < https://aka.ms/OfficeSecurityReleases (from 16.0.1)
  • Microsoft / Microsoft Office 2016
    < 16.0.5556.1005 (from 16.0.0)
  • Microsoft / Microsoft Office 2019
    < https://aka.ms/OfficeSecurityReleases (from 19.0.0)
  • Microsoft / Microsoft Office 365 for Mac
    -
  • Microsoft / Microsoft Office for Android
    -
  • Microsoft / Microsoft Office LTSC 2021
    < https://aka.ms/OfficeSecurityReleases (from 16.0.1)
  • Microsoft / Microsoft Office LTSC 2024
    < https://aka.ms/OfficeSecurityReleases (from 16.0.0)
  • Microsoft / Microsoft Office LTSC for Mac 2021
    -
  • Microsoft / Microsoft Office LTSC for Mac 2024
    -
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References