CVE-2026-45643: Microsoft Office Word RCE Vulnerability

CVE-2026-45643 Overview

CVE-2026-45643 is a local code execution vulnerability in Microsoft Office Word. The flaw stems from an untrusted pointer dereference [CWE-822] in the application's document parsing logic. An attacker who crafts a malicious Word document can trigger the dereference when a user opens the file. Successful exploitation results in arbitrary code execution in the context of the current user.

The vulnerability requires user interaction but no prior authentication. Microsoft documents the issue in the Microsoft Security Update CVE-2026-45643 advisory.

Critical Impact

Opening a weaponized Word document allows an unauthorized attacker to execute code locally with the privileges of the targeted user.

Affected Products

• Microsoft Office Word (versions as enumerated by Microsoft's security update guide)
• Office installations across supported Windows desktop platforms
• Office deployments that process untrusted documents from email, web, or shared storage

Discovery Timeline

• 2026-06-09 - CVE-2026-45643 published to the National Vulnerability Database (NVD)
• 2026-06-09 - Last updated in NVD database

Technical Details for CVE-2026-45643

Vulnerability Analysis

The vulnerability is classified under [CWE-822: Untrusted Pointer Dereference]. Microsoft Office Word dereferences a pointer value that originates from attacker-controlled document content without verifying that the pointer references a valid, expected memory region. When Word parses the malicious file, the corrupted pointer is read and used as a target for memory access or control-flow operations.

Because the pointer value is influenced by data inside the document, an attacker can steer execution toward attacker-prepared memory. The Exploit Prediction Scoring System (EPSS) currently places the probability of exploitation in the lower percentile range, indicating no observed in-the-wild activity at publication.

Root Cause

The root cause is missing validation of a pointer that is reconstructed or read from structured document data. Word treats the value as a trusted reference and dereferences it during parsing. Without bounds checks or sanity validation, the application accesses memory chosen by the attacker, which can lead to controlled corruption or hijacked execution flow.

Attack Vector

The attack vector is local with required user interaction. An attacker delivers a crafted .doc, .docx, or related Office document through phishing email, web download, removable media, or a collaboration platform. When the victim opens the document in Word, the untrusted pointer dereference is triggered. Code then executes with the user's privileges, enabling persistence, credential theft, or lateral movement.

No verified public proof-of-concept code is available. Technical specifics are limited to the information provided in the Microsoft Security Response Center advisory.

Detection Methods for CVE-2026-45643

Indicators of Compromise

• Microsoft Word (WINWORD.EXE) spawning unexpected child processes such as cmd.exe, powershell.exe, rundll32.exe, or mshta.exe
• Word processes performing network connections to untrusted external hosts shortly after document open events
• Office documents arriving from external senders containing unusual embedded objects, OLE streams, or shellcode-like binary blobs
• Crash dumps referencing WINWORD.EXE with access violations on invalid pointer addresses

Detection Strategies

• Hunt for parent-child process relationships where Office binaries launch script interpreters or living-off-the-land binaries
• Inspect inbound email attachments and SharePoint uploads for Word documents containing anomalous OLE or embedded object structures
• Correlate Word crash telemetry with subsequent process creation or file write activity in the user profile directory

Monitoring Recommendations

• Enable Microsoft Defender Attack Surface Reduction rules that block Office applications from creating child processes
• Forward Sysmon Event IDs 1, 7, and 11 from Office endpoints into a centralized analytics platform for behavioral review
• Track outbound HTTP and DNS activity initiated by Office processes against threat intelligence feeds

How to Mitigate CVE-2026-45643

Immediate Actions Required

• Apply the Microsoft security update referenced in the MSRC advisory for CVE-2026-45643 to all affected Office installations
• Enforce Protected View for documents originating from the internet, email, and unsafe locations
• Restrict execution of macros and active content from documents that bypass Mark-of-the-Web
• Educate users to avoid opening unsolicited Word attachments and to report suspicious files

Patch Information

Microsoft has issued a security update through the standard Office servicing channels. Administrators should consult the Microsoft Security Update CVE-2026-45643 entry for the precise build numbers, Click-to-Run channel versions, and Microsoft Update catalog packages applicable to their deployment.

Workarounds

• Open documents from untrusted sources in Office Online or a sandboxed environment instead of the desktop client
• Deploy Attack Surface Reduction rules that block Office child process creation and Win32 API calls from Office macros
• Use Group Policy to disable legacy file format parsing where business processes permit

# Configuration example: enable ASR rules via PowerShell to block Office child processes
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
Set-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enabled
Set-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enabled