HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45645Published Modified CNA microsoft

CVE-2026-45645: Microsoft Office Remote Code Execution Vulnerability

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
16.0.5556.1001
Affected Products
8

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A heap-based buffer overflow in Microsoft Office allows an attacker to execute arbitrary code on a victim's machine. The vulnerability is triggered locally and requires no authentication, but the victim must open a specially crafted Office document, making this a social-engineering attack delivered through malicious files. Successful exploitation gives the attacker full code execution in the context of the victim's user account, enabling data theft, file modification, or further system compromise. A patched-image rebuild at version 16.0.5556.1001 (and equivalent channel releases) is available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection of CVE-2026-45645 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI/CD pipelines, including custom-built images that bundle Microsoft Office components. Any image layer containing an affected Office version is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 7.8 HIGH (CVSS v3.1) and surfaces findings through each customer's configured compliance policy weighting, which can elevate or suppress severity based on environment-specific risk tolerance. Routed alerts reach the right team inbox inside each customer org based on image ownership and policy rules.

Available
Patch

A patched-image rebuild at the fixed Office version (16.0.5556.1001 for Office 2016; the corresponding channel release for Microsoft 365 and LTSC products) becomes available in HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard runs a regression test suite against the rebuilt image and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host, or more commonly delivers a malicious document for the victim to open locally; no over-the-network service exposure is required.

  • AuthenticationNot required

    No authentication or account credentials are required; the attacker exploits the vulnerability through a crafted document without any prior access to the target system.

  • Victim interactionRequired

    The victim must open a specially crafted Office file, meaning the attack depends on a social-engineering step such as a phishing email or a malicious download.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or other environmental preconditions beyond the victim opening the file.

Blast Radius

  • Executes arbitrary code in the context of the victim's user account, giving the attacker full control over anything that account can reach.
  • Reads files accessible to the victim, including documents, credentials cached on disk, and browser-stored secrets.
  • Writes or modifies files on the local filesystem, including dropping persistent malware or altering application data.
  • Crashes or destabilizes the affected Office process, though full code execution makes denial of service the least likely attacker goal.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-45645 activates within minutes of publication for any customer image that bundles a Microsoft Office installation below the fixed version. Where compliance policy permits, auto-remediation customers receive a rebuilt image based on the patched Office release, a regression-test run against that image, and a pull request opened against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Customers who manage their own patching can use the HarborGuard findings dashboard to identify every affected image and track remediation status. Because exploitation requires victim interaction via a malicious document, teams that cannot immediately rebuild should consider supplementary controls such as disabling macro execution in Office policy, applying network-egress filtering on workloads running Office components, and isolating document-processing containers from sensitive internal services.

See how HarborGuard automates this

Fix available

16.0.5556.1001https://aka.ms/OfficeSecurityReleases
Patch commits
Affected packages
  • Microsoft / Microsoft 365 Apps for Enterprise
    < https://aka.ms/OfficeSecurityReleases (from 16.0.1)
  • Microsoft / Microsoft Office 2016
    < 16.0.5556.1001 (from 16.0.0)
  • Microsoft / Microsoft Office 2019
    < https://aka.ms/OfficeSecurityReleases (from 19.0.0)
  • Microsoft / Microsoft Office 365 for Mac
    -
  • Microsoft / Microsoft Office LTSC 2021
    < https://aka.ms/OfficeSecurityReleases (from 16.0.1)
  • Microsoft / Microsoft Office LTSC 2024
    < https://aka.ms/OfficeSecurityReleases (from 16.0.0)
  • Microsoft / Microsoft Office LTSC for Mac 2021
    -
  • Microsoft / Microsoft Office LTSC for Mac 2024
    -
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References