Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-47293

CVE-2026-47293: Microsoft Office Privilege Escalation Flaw

CVE-2026-47293 is a use-after-free privilege escalation vulnerability in Microsoft Office Click-To-Run that enables authorized attackers to elevate privileges locally. This article covers technical details, affected systems, and mitigations.

Published:

CVE-2026-47293 Overview

CVE-2026-47293 is a use-after-free vulnerability [CWE-416] in Microsoft Office Click-To-Run. An authorized local attacker can exploit the flaw to elevate privileges on the affected host. Microsoft published the advisory through its Security Update Guide, and the issue carries a CVSS 3.1 base score of 7.0.

Successful exploitation requires local access and low privileges, but the attack complexity is high. No user interaction is required. The flaw impacts confidentiality, integrity, and availability when triggered. Public exploit code is not available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Critical Impact

An authorized local attacker who wins a memory reuse race in Microsoft Office Click-To-Run can elevate privileges and gain full control over the host context the service runs under.

Affected Products

  • Microsoft Office Click-To-Run (specific build versions not enumerated in the NVD record)
  • Microsoft 365 Apps deployments delivered via the Click-To-Run installer service
  • Standalone Office installations using the Click-To-Run update channel

Discovery Timeline

  • 2026-06-09 - CVE-2026-47293 published to the National Vulnerability Database
  • 2026-06-09 - Last updated in NVD database

Technical Details for CVE-2026-47293

Vulnerability Analysis

The vulnerability is a use-after-free condition in Microsoft Office Click-To-Run, the streaming installer and update service used by Microsoft 365 Apps and modern Office installations. A use-after-free occurs when a program continues to reference memory after that memory has been released. An attacker who controls the contents of the reclaimed allocation can redirect program flow or corrupt privileged state.

Because Click-To-Run components run with elevated privileges to manage installation, patching, and virtualization of Office binaries, abuse of freed object references inside this service crosses a privilege boundary. The attacker context is a low-privileged local user, while the targeted process operates with higher integrity.

The CWE-416 classification and the high attack complexity flag indicate the bug requires specific conditions, likely a race window between object release and reuse. EPSS scoring places near-term exploitation probability low at the time of publication.

Root Cause

The root cause is improper lifetime management of an object inside the Click-To-Run service. A code path releases an allocation while another path retains a dangling reference. When the dangling reference is dereferenced, attacker-controlled data placed into the reused slot influences subsequent operations executed by the privileged service.

Attack Vector

The attack vector is local. An authenticated user on the system triggers the vulnerable code path in OfficeClickToRun.exe or an associated component and races to control the reclaimed allocation. Successful exploitation yields code execution at the privilege level of the Click-To-Run service, enabling local privilege escalation.

No verified exploit code is published for this issue. Refer to the Microsoft Security Update Guide entry for CVE-2026-47293 for vendor technical context.

Detection Methods for CVE-2026-47293

Indicators of Compromise

  • Unexpected child processes spawned by OfficeClickToRun.exe or OfficeC2RClient.exe, particularly command interpreters or scripting hosts
  • New or modified files inside %ProgramFiles%\Common Files\Microsoft Shared\ClickToRun\ that are not associated with a sanctioned Office update
  • Crash artifacts or Windows Error Reporting entries referencing Click-To-Run modules followed by privileged process activity from the same user session

Detection Strategies

  • Hunt for low-integrity user processes opening handles to Click-To-Run service objects or injecting into Click-To-Run processes
  • Alert on service binary replacement, DLL sideloading attempts, or unsigned module loads inside the Click-To-Run process tree
  • Correlate local logon events with subsequent token elevation or new SYSTEM-context process creation tied to Office update components

Monitoring Recommendations

  • Enable Windows Defender Application Control or comparable allowlisting to log unexpected modules loaded by Office services
  • Forward Sysmon Event IDs 1, 7, 10, and 11 scoped to Click-To-Run binaries into a centralized analytics platform
  • Review Microsoft-Windows-Application-Experience and Service Control Manager logs for abnormal Click-To-Run restarts or crashes preceding privilege changes

How to Mitigate CVE-2026-47293

Immediate Actions Required

  • Apply the Microsoft security update referenced in the MSRC advisory for CVE-2026-47293 to all Office Click-To-Run installations
  • Inventory endpoints with Microsoft 365 Apps or Office Click-To-Run deployments and validate they are on a supported update channel
  • Restrict interactive local logon on multi-user systems such as terminal servers and shared workstations until patches are deployed

Patch Information

Microsoft addresses CVE-2026-47293 through its standard Click-To-Run servicing pipeline. Verify the Office build through File → Account → About in any Office application, or by inspecting the version reported by OfficeC2RClient.exe /update user. Confirm the installed build matches or exceeds the fixed version listed in the Microsoft Security Update Guide entry.

Workarounds

  • No vendor-supplied workaround replaces patching; prioritize update deployment through Microsoft Configuration Manager, Intune, or the Office Deployment Tool
  • Limit local accounts on sensitive endpoints and enforce least privilege to reduce the population of users able to attempt local exploitation
  • Monitor and constrain user-writable directories that Click-To-Run components read from to reduce opportunities for object replacement during the race window
bash
# Force an immediate Click-To-Run update check and apply pending fixes
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /update user updatepromptuser=false forceappshutdown=true displaylevel=false

# Verify the resulting Office build version
reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /v VersionToReport

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne