A newly published vulnerability identifier, CVE-2026-45456, has set off discussion among security professionals because of a seemingly contradictory classification: Microsoft labels it as \u201cRemote Code Execution\u201d (RCE), while the CVSS v3.1 attack vector is \u201cLocal\u201d (AV:L). This discrepancy is not unique, but it highlights a persistent communication gap between vendor-specific severity ratings and the industry-standard Common Vulnerability Scoring System. For Windows users who rely on Outlook and Word daily, understanding what such a rating actually means is critical to assessing real-world risk.

The paradox at the heart of CVE-2026-45456

According to the limited information attached to the CVE, Microsoft\u2019s security response team determined that exploitation can be triggered via email messages, a network vector that invites the \u201cremote\u201d label. However, the CVSS vector string assigns AV:L, meaning the attacker must have local access to the target system to carry out the final step of exploitation. As the excerpt clarifies: \u201cMicrosoft labels CVE-2026-45456 as remote code execution because the attacker can be remote from the victim, while the CVSS attack vector is Local because exploitation ultimately occurs through code [execution on the local machine].\u201d

The practical outcome is an RCE vulnerability that requires user interaction and local code execution, but the initial delivery can happen remotely\u2014commonly through a malicious document attached to an email or hosted on a web server. In the context of Outlook and Word, the most plausible scenario is an attacker sending a specially crafted Word file that, when opened, exploits a flaw allowing arbitrary code to run. Because the attacker does not need physical access to the machine and can send the lure from anywhere, Microsoft\u2019s threat model classifies this as remote. CVSS, on the other hand, focuses on the immediate exploitation context: opening a document equates to a local action. This distinction matters for IT admins who prioritize patches based on network exposure.

How CVSS defines \u201cAttack Vector\u201d

The CVSS v3.1 specification defines four possible values for Attack Vector: Network (AV:N), Adjacent (AV:A), Local (AV:L), and Physical (AV:P). AV:L is assigned when the attacker either needs local access to the target system or relies on user interaction to trigger the vulnerability. Microsoft\u2019s own scoring guidelines often follow CVSS closely, but the company has historically reserved the right to apply a higher severity rating when a vulnerability is \u201cwormable\u201d or can be initiated from a remote source.

In CVE-2026-45456\u2019s case, the attack vector being Local suggests that the vulnerability cannot be exploited without the victim opening a file or performing some other action. There is no self-propagating network attack; an attacker cannot simply send a packet and gain control. This significantly reduces the urgency compared to a truly network-exploitable flaw like those in Exchange Server, but it does not eliminate the risk in environments where users routinely open attachments.

The Outlook angle

When a vulnerability is filed under Outlook security, mail-based delivery is the obvious threat vector. Attackers can craft emails with embedded OLE objects or Open XML documents that leverage the parser vulnerabilities in Word\u2019s rendering engine. Even though Outlook\u2019s protected view and attachment block policies can mitigate many attacks, a flaw marked RCE with AV:L still poses a substantial risk if the attacker can convince a user to interact with the content.

For Word, the risk is similar. Macros are no longer the only vehicle; font parsing, image rendering, and stylesheet processing have all been historical sources of such bugs. Microsoft\u2019s security updates for Word-related RCEs often come with high severity tags, and IT teams treat them as priority patches regardless of the CVSS vector.

Why Microsoft\u2019s classification matters

Microsoft\u2019s internal rating directly influences the update severity shown in Windows Update, Microsoft Endpoint Configuration Manager, and the security bulletin system. When Microsoft says \u201cRemote Code Execution,\u201d administrators know they need to patch quickly, even if the CVSS base score is moderate. This is a pragmatic approach: a vulnerability that can be triggered by a user receiving an email is operationally remote, because the user is the weakest link. The company has long argued that CVSS alone does not capture the full business impact, especially in enterprise environments where endpoints are heavily targeted via phishing.

Still, the mismatch often causes confusion among security auditors and automated vulnerability scanners, which rely on CVSS scores to prioritize remediation. A scanner might flag an RCE bulletin from Microsoft but assign it a lower CVSS score due to the AV:L vector, leading to deprioritization. Security teams must manually override or create custom policies to ensure such patches are applied quickly in accordance with Microsoft\u2019s guidance.

Historical parallels in Office vulnerabilities

CVE-2026-45456 is not the first instance of this classification divide. In 2017, CVE-2017-0199 was a remote code execution vulnerability in Microsoft Office that allowed attackers to download and run malware via an RTF document. Microsoft rated it as critical; CVSS base score with AV:N was 7.8, but only because the attack vector was Network if the file was downloaded from a URL. Many Word macro-based flaws have been marked AV:L even though the lure arrives remotely. The pattern is consistent: Microsoft elevates the severity based on the initial attack chain, while CVSS focuses on the end stage.

A more recent example from the 2023 Patch Tuesday set saw a similar debate around CVE-2023-29336, a Win32k elevation of privilege vulnerability. Although not an RCE, it was exploited in the wild and Microsoft stressed its importance, while CVSS metric debates continued. The lesson is that security teams should read both the Microsoft severity rating and the CVSS vector, understand the exploitation prerequisites, and apply judgement rather than relying on a single score.

User impact and what to do now

Details on CVE-2026-45456 are still scarce\u2014the CVE has been reserved, and as of this writing, Microsoft has not yet published a full security update guide. However, based on the information available, the vulnerability likely affects supported versions of Microsoft Outlook and Microsoft Word. Users of Microsoft 365 Apps for enterprise, Office 2019, Office 2021, and possibly Office LTSC editions should prepare for an update in an upcoming Patch Tuesday release.

Until the patch is delivered, basic security hygiene can reduce the risk:

  • Enable Protected View for all Office documents originating from the internet. This is the default, but group policies sometimes disable it.
  • Configure Outlook to block attachments that could be dangerous (e.g., files with .docm, .doc, .rtf extensions from unknown senders).
  • Use Attack Surface Reduction rules in Microsoft Defender for Endpoint to block Office applications from creating child processes or executing code from macros.
  • Train users to scrutinize email attachments, even from known contacts, and never enable editing or content unless absolutely necessary.

Administrators should monitor the Microsoft Security Response Center (MSRC) Security Update Guide for the official advisory and patch. When the fix is released, it will likely be included with the monthly quality updates, and it may carry a separate KB article detailing the vulnerability\u2019s scope.

The bigger picture: CVSS vs. real-world risk

The CVE-2026-45456 confusion forces a broader discussion on how the industry scores vulnerabilities. CVSS 3.1 is deterministic but does not factor in threat intelligence or exploitation context. Microsoft\u2019s addition of temporal and environmental metrics in their advisories attempts to bridge the gap, but not all vendors adopt the same approach. For Windows administrators, the takeaway is clear: treat Microsoft\u2019s \u201cRemote Code Execution\u201d classification as a directive to patch immediately, even if the CVSS mathematics suggest a lower urgency.

Security researchers have long advocated for a scoring system that more accurately reflects the modern attack landscape. With the advent of cloud-delivered attacks, the line between \u201cremote\u201d and \u201clocal\u201d blurs. A user opening a file from a network share or downloading a document from a compromised SharePoint site is not entirely local nor fully remote. Until the industry reaches a consensus, security teams must decode these mixed signals using their own threat models.

Looking forward

Microsoft is likely to provide further clarification when the official advisory drops. They may update the CVSS vector after additional analysis\u2014this has happened in the past when initial assessments were revised. For now, CVE-2026-45456 serves as a reminder that vulnerability ratings are a language, not a verdict. The wise Windows enthusiast or IT pro will parse both the headline and the metrics to determine the true risk to their systems.