CVE-2026-45463 – Microsoft Office Remote Code Execution Vulnerability

CVE-2026-45463 is a Microsoft Office Remote Code Execution vulnerability associated with CWE-191: Integer Underflow and CWE-121: Stack-based Buffer Overflow. The provided executive summary also references a use-after-free issue, so the weakness details are inconsistent in the source data. The vulnerability allows an unauthorized attacker to execute code locally, and the Preview Pane is confirmed as an attack vector.

CVSS Score: 8.4
SEVERITY: Critical
THREAT:
This vulnerability creates a serious document-based attack risk in Microsoft Office. A crafted file could trigger memory corruption and allow code execution on the affected device. Because Office files are widely used across business environments, attackers may use normal document workflows to reach users.

EXPLOITS:
The exploitability assessment is Exploitation Less Likely. The vulnerability is not publicly disclosed and not known to be exploited in the wild. Exploit Code Maturity is listed as Unproven, and no public proof-of-concept code is identified in the available data.

TECHNICAL SUMMARY:
The vulnerability is linked to an integer underflow and stack-based buffer overflow condition in Microsoft Office. These flaws can cause improper memory handling, potentially allowing crafted content to corrupt memory and execute arbitrary code. The CVSS metrics show Local attack vector, Low attack complexity, No privileges required, and No user interaction. Microsoft also confirms the Preview Pane as an attack vector.

EXPLOITABILITY:
Affected Microsoft Product: Microsoft Office
Affected software includes Microsoft 365 Apps for Enterprise, Microsoft Office 2016, Microsoft Office 2019, Microsoft Office 365 for Mac, Microsoft Office for Android, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021, and Microsoft Office LTSC for Mac 2024.

BUSINESS IMPACT:
Successful exploitation could allow malware execution, sensitive data theft, unauthorized access, and compromise of user systems. The business risk is high because Office documents are common in email, collaboration tools, and daily workflows.

WORKAROUND:
No workarounds are listed.
No mitigations are listed.

URGENCY:
This vulnerability is rated Critical with a CVSS v3.1 Base Score of 8.4. The Preview Pane is an attack vector, and the issue affects multiple Office platforms. Organizations should prioritize patching Microsoft Office installations to reduce the risk of document-based code execution.