CVE-2026-45461 – Microsoft Office Remote Code Execution Vulnerability

CVE-2026-45461 is a Microsoft Office Remote Code Execution vulnerability caused by a use-after-free (CWE-416) flaw. The vulnerability allows an unauthorized attacker to execute code locally. Although the title uses “Remote Code Execution,” the CVSS attack vector is Local, meaning the attack runs from the local machine. The Preview Pane is confirmed as an attack vector, increasing the risk during routine document review.
CVSS Score: 8.4
SEVERITY: Critical
THREAT:
This vulnerability creates a high-risk document-based attack path in Microsoft Office. A specially crafted Office file could allow code execution with high impact to confidentiality, integrity, and availability. Because Office documents are common in business workflows, attackers may attempt to use this flaw through files shared by email, collaboration platforms, or other document delivery methods.

EXPLOITS:
The exploitability assessment is Exploitation Less Likely. The vulnerability is not publicly disclosed and not known to be exploited in the wild. Exploit Code Maturity is listed as Unproven, and no public proof-of-concept (PoC) code is identified in the available information.

TECHNICAL SUMMARY:
The vulnerability is caused by a use-after-free condition in Microsoft Office. This occurs when the application improperly references memory after it has been released, creating a memory corruption condition that may allow arbitrary code execution. The CVSS metrics show Low attack complexity, No privileges required, No user interaction, and High impact to confidentiality, integrity, and availability. Microsoft also confirms that the Preview Pane is an attack vector.

EXPLOITABILITY:
Affected Microsoft Product: Microsoft Office
Affected software includes Microsoft 365 Apps for Enterprise, Microsoft Office 2016, Microsoft Office 2019, Microsoft Office 365 for Mac, Microsoft Office for Android, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021, and Microsoft Office LTSC for Mac 2024.
The attack vector is Local, with Low attack complexity, No privileges required, and No user interaction listed in the CVSS metrics. The Preview Pane is confirmed as an attack vector.

BUSINESS IMPACT:
Microsoft Office is widely used across business environments, making this vulnerability a practical target for attackers. Successful exploitation could allow malware execution, data theft, unauthorized access to documents, and compromise of user systems. The Preview Pane exposure increases risk because users may interact with malicious content during normal review workflows.

WORKAROUND:
No workarounds are listed.
No mitigations are listed.

URGENCY:
This vulnerability is rated Critical with a CVSS v3.1 Base Score of 8.4. It affects multiple Microsoft Office platforms and includes the Preview Pane as an attack vector. Organizations should prioritize patching Office installations to reduce the risk of document-based code execution.