HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45471Published Modified CNA microsoft

CVE-2026-45471: Microsoft Word Remote Code Execution Vulnerability

Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
16.0.5556.1000
Affected Products
11

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An untrusted pointer dereference vulnerability in Microsoft Word allows an attacker to execute arbitrary code on the local machine. The attack is launched locally and requires no prior authentication, but the victim must open a specially crafted document. Successful exploitation gives the attacker full code execution on the affected system. Patched-image rebuilds at the fixed versions are available on HarborGuard for environments running affected versions of Microsoft 365 Apps for Enterprise, Office 2019, Office LTSC 2021, Office LTSC 2024, and SharePoint Enterprise Server 2016.

HarborGuard Coverage

Detection

Detection of CVE-2026-45471 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication using ingestion from Microsoft's upstream security feeds. Coverage extends to custom-built images that bundle affected Microsoft Office components.

Available
Triage

Triage is available using the CVSS v3.1 base score of 7.8 (HIGH), weighted against each customer organization's per-environment compliance policies and severity thresholds. Findings are routed to the appropriate team inbox within each customer org based on configured ownership rules.

Available
Patch

Patched-image rebuilds at versions 16.0.5556.1000, 16.0.5556.1005, 16.0.10417.20153, and 16.0.19725.20384 are available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network exposure is required to reach the vulnerable code path.

  • AuthenticationNot required

    No account credentials or prior authentication are needed to trigger the vulnerability.

  • Victim interactionRequired

    The victim must open a specially crafted Word document, making this a social-engineering vector that requires user action.

  • Attack complexityDetail

    Exploit conditions are reliable and condition-free; no race conditions or specific memory layout dependencies are required.

Blast Radius

  • The attacker executes arbitrary code in the context of the user running Microsoft Word, gaining full control over that process.
  • All files and data accessible to the victim user account can be read or exfiltrated.
  • The attacker can modify or delete files, registry entries, and other persisted data accessible to the victim user.
  • The attacker can crash or hijack the affected application and, depending on the user's privilege level, escalate further into the host OS.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-45471 is active against all images in connected registries and build pipelines, including custom images that bundle Microsoft Office components. For environments running an affected version, a patched-image rebuild at the applicable fix version (16.0.5556.1000, 16.0.5556.1005, 16.0.10417.20153, or 16.0.19725.20384) becomes available automatically once the upstream package is confirmed present. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, executes a regression run, and opens a PR against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is queued for manual review with full CVSS context and fix-version guidance attached.

See how HarborGuard automates this

Fix available

16.0.5556.100016.0.5556.100516.0.10417.2015316.0.19725.20384https://aka.ms/OfficeSecurityReleases
Patch commits
Affected packages
  • Microsoft / Microsoft 365 Apps for Enterprise
    < https://aka.ms/OfficeSecurityReleases (from 16.0.1)
  • Microsoft / Microsoft Office 2019
    < https://aka.ms/OfficeSecurityReleases (from 19.0.0)
  • Microsoft / Microsoft Office 365 for Mac
    -
  • Microsoft / Microsoft Office LTSC 2021
    < https://aka.ms/OfficeSecurityReleases (from 16.0.1)
  • Microsoft / Microsoft Office LTSC 2024
    < https://aka.ms/OfficeSecurityReleases (from 16.0.0)
  • Microsoft / Microsoft Office LTSC for Mac 2021
    -
  • Microsoft / Microsoft Office LTSC for Mac 2024
    -
  • Microsoft / Microsoft SharePoint Enterprise Server 2016
    < 16.0.5556.1005 (from 16.0.0)
  • Microsoft / Microsoft SharePoint Server 2019
    < 16.0.10417.20153 (from 16.0.0)
  • Microsoft / Microsoft SharePoint Server Subscription Edition
    < 16.0.19725.20384 (from 16.0.0)
  • Microsoft / Microsoft Word 2016
    < 16.0.5556.1000 (from 16.0.1)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References