CVE-2026-55045 – Microsoft Office Remote Code Execution Vulnerability
“A malicious document doesn't have to look suspicious to become the starting point of a serious security breach.”
An out-of-bounds read vulnerability in Microsoft Office allows an unauthorized attacker to execute arbitrary code on a local system. Although the vulnerability is classified as Remote Code Execution, Microsoft explains that the attack itself is carried out locally. Microsoft also confirms that the Preview Pane is an attack vector. Security updates have been released for affected Microsoft Office and Microsoft SharePoint products.
CVSS Score: 8.4
SEVERITY: Critical
THREAT:
This vulnerability affects Microsoft Office and Microsoft SharePoint through an out-of-bounds read flaw that can result in arbitrary code execution. Successful exploitation could allow an attacker to run malicious code with the privileges of the affected process, potentially leading to compromise of sensitive information, installation of malware, or further attacks against the environment. Microsoft advises installing all applicable updates for affected software where multiple update packages are offered.
EXPLOITS:
At the time of publication, the vulnerability has not been publicly disclosed and Microsoft has not detected active exploitation. Microsoft assesses exploitation as less likely. The CVSS v3.1 temporal metrics list exploit code maturity as Unproven, and the provided information does not confirm the existence of publicly available proof-of-concept exploit code.
TECHNICAL SUMMARY:
The vulnerability is caused by an out-of-bounds read (CWE-125) in Microsoft Office. Improper memory access can allow an attacker to execute arbitrary code on the affected system. Microsoft states that although the vulnerability is categorized as Remote Code Execution, the attack itself is executed locally. Microsoft also confirms that the Preview Pane is an attack vector, and customers should install all applicable security updates when multiple update packages are listed for affected products.
EXPLOITABILITY:
Affected products include Microsoft 365 Apps for Enterprise, Microsoft Office 2016, Microsoft Office 2019, Microsoft Office 365 for Mac, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC for Mac 2024, Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition. The provided CVSS v3.1 metrics indicate no privileges required and no user interaction. Microsoft also states that the Preview Pane is an attack vector and that users may be convinced to open a malicious Office file. For Microsoft Office 2019 (32-bit and 64-bit editions), the affected software table lists the CVSS score set as N/A, while the overall CVSS:3.1 highest base score for this CVE is 8.4.
BUSINESS IMPACT:
Microsoft Office and SharePoint are widely used to create, store, and share business information. Successful exploitation could allow attackers to execute malicious code, compromise endpoints or collaboration servers, steal sensitive information, deploy malware, or establish a foothold for broader attacks across the enterprise. Organizations using both Office and SharePoint should ensure all applicable updates are deployed.
WORKAROUND:
No mitigations or workarounds are available. Microsoft recommends installing all applicable security updates for the affected Office and SharePoint products.
URGENCY:
This vulnerability should be deployed urgently because it is rated Critical with a CVSS v3.1 base score of 8.4. Although Microsoft has not observed active exploitation, the vulnerability affects widely deployed Office and SharePoint products and can result in arbitrary code execution. Organizations should prioritize installing every applicable update package listed for affected software.
Key Details
- Affected Product
- Microsoft 365 Apps
- Attack Vector
- Local
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- CWE Classification
- CWE-125