CVE-2026-45460 – Microsoft Office Information Disclosure Vulnerability

CVE-2026-45460 is a Critical information disclosure vulnerability in Microsoft Office caused by a buffer over-read. An attacker could send a malicious Office file and convince a user to open it, or use the Preview Pane as an attack vector. Successful exploitation could allow the attacker to read small portions of heap memory.

CVSS Score: 4.7
SEVERITY: Critical
THREAT:
This vulnerability allows unauthorized information disclosure through a crafted Office file. User interaction is required, but no privileges are needed. The Preview Pane is also listed as an attack vector.

EXPLOITS:
Publicly Disclosed: No.
Exploited: No.
Exploitability Assessment: Exploitation Unlikely.
No public exploit, zero-day exploitation, or proof-of-concept code is confirmed in the provided data.

TECHNICAL SUMMARY:
CVE-2026-45460 is caused by a buffer over-read, identified as CWE-126, in Microsoft Office. When a malicious Office file is opened or previewed, Office may read beyond the intended memory boundary. This could expose small portions of heap memory. The CVSS v3.1 metrics show local attack vector, high attack complexity, no privileges required, user interaction required, unchanged scope, high confidentiality impact, and no integrity or availability impact.

EXPLOITABILITY:
Affected software includes Microsoft 365 Apps for Enterprise, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office 365 for Mac, Microsoft Office LTSC for Mac 2021 and 2024, and Microsoft Office for Android.
Exploitation requires a user to open a malicious Office file or preview it through the Preview Pane.

BUSINESS IMPACT:
This vulnerability is dangerous because Office documents are widely exchanged through email, collaboration tools, and file shares. A successful attack could expose sensitive memory contents and support further attack activity, especially when combined with other vulnerabilities.

WORKAROUND:
No mitigations or workarounds are listed.
Where patching is delayed, avoid opening untrusted Office files, limit Preview Pane use for unknown documents, and monitor suspicious Office file activity.

URGENCY:
This patch should be prioritized because the vulnerability is marked Critical and affects widely used Office platforms. Although exploitation is assessed as unlikely, document-based attacks remain common and can expose sensitive information.