HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-47293Published Modified CNA microsoft

CVE-2026-47293: Microsoft Office Click-To-Run Elevation of Privilege Vulnerability

Use after free in Microsoft Office Click-To-Run allows an authorized attacker to elevate privileges locally.

Metrics

CVSS v3.1
7.0
Severity
HIGH
Fixed in
https://aka.ms/OfficeSecurityReleases
Affected Products
4

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Use-after-free vulnerability in Microsoft Office Click-To-Run allows a locally authenticated attacker to elevate their privileges on the affected system. The exploit is local-only and requires a low-privilege account, but no victim interaction is needed; once triggered, the attacker gains full read, write, and crash capability over the affected process context. Successful exploitation enables an attacker to escalate to higher privilege levels, potentially taking control of the host. A patched-image rebuild is available on HarborGuard for environments running affected versions of Microsoft 365 Apps for Enterprise, Office 2019, Office LTSC 2021, or Office LTSC 2024.

HarborGuard Coverage

Detection

Detection of CVE-2026-47293 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream Microsoft and NVD feeds, including custom-built images that bundle Office Click-To-Run components. Coverage applies to all image layers, not just base images, so internally assembled enterprise images are included in the scan scope.

Available
Triage

HarborGuard scores this CVE at 7.0 HIGH using the CVSS v3.1 vector and can weight that score against each customer environment's compliance policy to determine urgency and routing. Triage findings are routed to the appropriate team inbox inside each customer organization based on configured policy rules.

Available
Patch

A patched-image rebuild pointing to the Microsoft-published fix release at https://aka.ms/OfficeSecurityReleases is available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network access to the service is required.

  • AuthenticationRequired

    Any low-privilege local account is sufficient; the attacker does not need administrative credentials to trigger the vulnerability.

  • Victim interactionNot required

    The exploit does not require a victim to take any action such as opening a file or clicking a link.

  • Attack complexityDetail

    Attack complexity is high, meaning the exploit depends on specific timing, memory layout, or other environmental conditions that the attacker cannot fully control, reducing reliability.

Blast Radius

  • Reads sensitive data accessible to the elevated process, including credentials, configuration files, and application data stored on the host.
  • Modifies files, registry entries, or system configuration at the privilege level gained after escalation.
  • Crashes or destabilizes the Office Click-To-Run process or dependent services, causing application-level disruption.
  • Positions the attacker to persist on the host or pivot to further system resources by holding elevated privileges.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-47293 activates the moment the advisory is ingested, matching against all customer images that include affected Office Click-To-Run versions. For environments running Microsoft 365 Apps for Enterprise, Office 2019, Office LTSC 2021, or Office LTSC 2024 within the affected version ranges, a rebuild against the patched release (see https://aka.ms/OfficeSecurityReleases) is available. Where compliance policy permits, auto-remediation customers receive a rebuilt image, a regression-test run, and a PR opened against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Because the CVSS temporal vector carries an Exploit Code Maturity of Unproven and a Remediation Level of Official Fix, teams that cannot immediately apply the patch may reduce exposure by restricting local shell access to least-privilege accounts and auditing which container images bundle Office Click-To-Run components.

See how HarborGuard automates this

Fix available

https://aka.ms/OfficeSecurityReleases
Patch commits
Affected packages
  • Microsoft / Microsoft 365 Apps for Enterprise
    < https://aka.ms/OfficeSecurityReleases (from 16.0.1)
  • Microsoft / Microsoft Office 2019
    < https://aka.ms/OfficeSecurityReleases (from 19.0.0)
  • Microsoft / Microsoft Office LTSC 2021
    < https://aka.ms/OfficeSecurityReleases (from 16.0.1)
  • Microsoft / Microsoft Office LTSC 2024
    < https://aka.ms/OfficeSecurityReleases (from 16.0.0)
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References