HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45472Published Modified CNA microsoft

CVE-2026-45472: Microsoft Office Remote Code Execution Vulnerability

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.

Metrics

CVSS v3.1
8.4
Severity
HIGH
Fixed in
16.0.5556.1005
Affected Products
9

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Heap-based buffer overflow in Microsoft Office allows an attacker with local access to execute arbitrary code without any authentication or user interaction. The vulnerability is reachable locally, meaning the attacker must already have a process or shell on the affected host, and no privileges are required to trigger the overflow. Successful exploitation gives the attacker full control over the affected process, enabling arbitrary code execution with the permissions of the running Office application. A patched-image rebuild at version 16.0.5556.1005 (and equivalent channel releases) is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in both registries and active CI/CD pipelines, including custom-built images that bundle Microsoft Office components.

Available
Triage

HarborGuard scores this CVE at 8.4 HIGH using the CVSS v3.1 vector and weights it against each environment's compliance policy, then routes the finding to the appropriate team inbox within the customer organization.

Available
Patch

A patched-image rebuild at version 16.0.5556.1005 (or the corresponding Microsoft 365 channel release) becomes available in HarborGuard as soon as the fix is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network-facing exposure is required to trigger the vulnerability.

  • AuthenticationNot required

    No account or credentials are required; the overflow can be triggered by any unprivileged local process.

  • Victim interactionNot required

    No user action is needed to trigger the overflow once the attacker has local code execution on the host.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race conditions, or memory-layout knowledge.

Blast Radius

  • The attacker executes arbitrary code in the context of the Microsoft Office process, gaining the same file system and memory permissions as the running application.
  • Confidential data accessible to the Office process, including open documents, cached credentials, and locally stored files, is exposed to the attacker.
  • The attacker can modify or delete files, documents, and application state that the Office process has write access to.
  • The Office process can be crashed or made to behave arbitrarily, disrupting availability of the application for the affected user session.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-45472 is active across all customer environments, matching scanned images against the affected version ranges for every Microsoft Office product listed in the advisory. For environments running Microsoft Office 2016 below 16.0.5556.1005, or any affected Microsoft 365 or LTSC channel build, a patched-image rebuild becomes available in HarborGuard as soon as the fixed package is resolvable from upstream. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the patched version, executes the configured regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. For products where a specific fix version is not yet enumerated (Microsoft Office for Android, Microsoft Office 365 for Mac, Microsoft Office LTSC for Mac 2021), HarborGuard re-checks the advisory each ingest cycle and will make a patched rebuild available the moment Microsoft publishes a resolved version. In the interim, where compliance policy permits, reducing the footprint of Office components in container images and applying process-level isolation controls can limit the local attack surface.

See how HarborGuard automates this

Fix available

16.0.5556.1005https://aka.ms/OfficeSecurityReleases
Patch commits
Affected packages
  • Microsoft / Microsoft 365 Apps for Enterprise
    < https://aka.ms/OfficeSecurityReleases (from 16.0.1)
  • Microsoft / Microsoft Office 2016
    < 16.0.5556.1005 (from 16.0.0)
  • Microsoft / Microsoft Office 2019
    < https://aka.ms/OfficeSecurityReleases (from 19.0.0)
  • Microsoft / Microsoft Office 365 for Mac
    -
  • Microsoft / Microsoft Office for Android
    -
  • Microsoft / Microsoft Office LTSC 2021
    < https://aka.ms/OfficeSecurityReleases (from 16.0.1)
  • Microsoft / Microsoft Office LTSC 2024
    < https://aka.ms/OfficeSecurityReleases (from 16.0.0)
  • Microsoft / Microsoft Office LTSC for Mac 2021
    -
  • Microsoft / Microsoft Office LTSC for Mac 2024
    -
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References