CVE-2026-45472 – Microsoft Office Remote Code Execution Vulnerability

CVE-2026-45472 is a Microsoft Office Remote Code Execution vulnerability caused by a use-after-free (CWE-416) flaw. The vulnerability allows an unauthorized attacker to execute code locally. Although the title uses “Remote Code Execution,” the CVSS attack vector is Local. The Preview Pane is confirmed as an attack vector, increasing exposure during normal document review.

CVSS Score: 8.4
SEVERITY: Critical
THREAT:
This vulnerability creates a dangerous document-based attack path in Microsoft Office. A crafted file could trigger memory corruption and allow code execution on the affected device, putting user systems and sensitive business data at risk.

EXPLOITS:
The exploitability assessment is Exploitation Less Likely. The vulnerability is not publicly disclosed and not known to be exploited in the wild. Exploit Code Maturity is listed as Unproven, and no public proof-of-concept code is identified in the available data.

TECHNICAL SUMMARY:
The vulnerability is caused by a use-after-free memory issue in Microsoft Office. This occurs when the application improperly accesses memory after it has been released, which can lead to memory corruption and arbitrary code execution. The CVSS metrics show Local attack vector, Low attack complexity, No privileges required, and No user interaction.

EXPLOITABILITY:
Affected Microsoft Product: Microsoft Office
Affected software includes Microsoft 365 Apps for Enterprise, Microsoft Office 2016, Microsoft Office 2019, Microsoft Office 365 for Mac, Microsoft Office for Android, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021, and Microsoft Office LTSC for Mac 2024.

BUSINESS IMPACT:
Successful exploitation could allow malware execution, data theft, unauthorized access, and compromise of user systems. Because Office documents are used daily across most organizations, this vulnerability presents a practical risk through routine document handling and preview workflows.

WORKAROUND:
No workarounds are listed.
No mitigations are listed.

URGENCY:
This vulnerability is rated Critical with a CVSS v3.1 Base Score of 8.4. The Preview Pane is an attack vector, and the issue affects multiple Microsoft Office platforms. Organizations should prioritize patching Office installations to reduce the risk of document-based code execution.