CVE-2026-45474 – Microsoft Office Remote Code Execution Vulnerability

CVE-2026-45474 is a Microsoft Office Remote Code Execution vulnerability caused by a use-after-free (CWE-416) flaw. The vulnerability allows an unauthorized attacker to execute code locally. Although the title uses “Remote Code Execution,” the CVSS attack vector is Local. The Preview Pane is confirmed as an attack vector.

CVSS Score: 8.4
SEVERITY: Critical
THREAT:
This vulnerability creates a document-based code execution risk in Microsoft Office. A crafted Office file could trigger memory corruption and allow an attacker to run code on the affected device.

EXPLOITS:
The exploitability assessment is Exploitation Less Likely. The vulnerability is not publicly disclosed and not known to be exploited in the wild. Exploit Code Maturity is listed as Unproven, and no public proof-of-concept code is identified in the provided data.

TECHNICAL SUMMARY:
The vulnerability is caused by a use-after-free memory issue in Microsoft Office. This occurs when Office accesses memory after it has been released, which can lead to memory corruption and arbitrary code execution. The CVSS metrics show Local attack vector, Low attack complexity, No privileges required, and No user interaction.

EXPLOITABILITY:
Affected Microsoft Product: Microsoft Office
Affected software includes Microsoft Office 365 for Mac and Microsoft Office for Android. The Preview Pane is confirmed as an attack vector.

BUSINESS IMPACT:
Successful exploitation could allow malware execution, data theft, unauthorized access, and compromise of user systems. The risk is important because Office documents are commonly used in daily business workflows.

WORKAROUND:
No workarounds are listed.
No mitigations are listed.

URGENCY:
This vulnerability is rated Critical with a CVSS v3.1 Base Score of 8.4. It affects Microsoft Office platforms and includes the Preview Pane as an attack vector. Organizations should prioritize patching affected Office installations.