HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45474Published Modified CNA microsoft

CVE-2026-45474: Microsoft Office Remote Code Execution Vulnerability

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.

Metrics

CVSS v3.1
8.4
Severity
HIGH
Fixed in
16.0.5556.1005
Affected Products
9

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Heap-based buffer overflow in Microsoft Office allows an attacker with local access to execute arbitrary code without any credentials or user interaction. The vulnerability is reached locally, meaning an attacker who already has a shell or process on the affected host can trigger the overflow directly. Successful exploitation gives the attacker full control over the process, enabling arbitrary code execution with high impact on confidentiality, integrity, and availability. A patched-image rebuild at version 16.0.5556.1005 (and equivalent Click-to-Run releases per the Microsoft Office Security Releases page) is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-45474 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including the Microsoft Security Response Center advisory. Coverage extends to custom-built images that bundle Microsoft Office components, ensuring no affected image goes undetected regardless of how it was assembled.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 8.4 HIGH and weighting it against each customer environment's compliance policy to surface severity-appropriate urgency. Triage routing is available to direct findings to the correct team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild targeting the fixed Office release (16.0.5556.1005 for Office 2016; current Click-to-Run channel for Microsoft 365 Apps, Office 2019, LTSC 2021, and LTSC 2024) becomes available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network path to the service is required to trigger the overflow.

  • AuthenticationNot required

    No credentials or account are required; the overflow can be triggered by any process already running on the affected host.

  • Victim interactionNot required

    No user action is needed to trigger the vulnerability once the attacker has local execution context.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout dependencies, or other environmental factors.

Blast Radius

  • Attacker executes arbitrary code in the context of the affected Microsoft Office process, gaining the same privileges as the running application.
  • All files and data accessible to the Office process can be read, including locally cached documents, credentials stored by Office integrations, and authentication tokens.
  • Attacker can write or overwrite files accessible to the process, modifying documents, configuration, or data persisted on the host.
  • The affected Office process can be crashed or forced into an unresponsive state, disrupting document processing or any pipeline stage that depends on Office components.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image containing an affected Microsoft Office version, covering both vendor-supplied and custom-built images. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the patched version, runs a regression test, and opens a pull request against affected workloads; for HIGH-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. For Mac, Android, and LTSC for Mac variants where a discrete fix version is not yet enumerated in the advisory, HarborGuard re-checks the upstream advisory each ingest cycle and makes the patched rebuild available the moment a specific fix version is confirmed. Where compliance policy or environment constraints prevent auto-remediation, HarborGuard surfaces the finding with full CVSS context and fix-version guidance so teams can action it manually.

See how HarborGuard automates this

Fix available

16.0.5556.1005https://aka.ms/OfficeSecurityReleases
Patch commits
Affected packages
  • Microsoft / Microsoft 365 Apps for Enterprise
    < https://aka.ms/OfficeSecurityReleases (from 16.0.1)
  • Microsoft / Microsoft Office 2016
    < 16.0.5556.1005 (from 16.0.0)
  • Microsoft / Microsoft Office 2019
    < https://aka.ms/OfficeSecurityReleases (from 19.0.0)
  • Microsoft / Microsoft Office 365 for Mac
    -
  • Microsoft / Microsoft Office for Android
    -
  • Microsoft / Microsoft Office LTSC 2021
    < https://aka.ms/OfficeSecurityReleases (from 16.0.1)
  • Microsoft / Microsoft Office LTSC 2024
    < https://aka.ms/OfficeSecurityReleases (from 16.0.0)
  • Microsoft / Microsoft Office LTSC for Mac 2021
    -
  • Microsoft / Microsoft Office LTSC for Mac 2024
    -
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References