Microsoft dropped an unwelcome surprise on Mac administrators Monday with the publication of CVE-2026-45460. The advisory, issued June 9, 2026, warns of a critical vulnerability in Microsoft Office LTSC for Mac 2021, Office LTSC for Mac 2024, and Microsoft 365 for Mac, but explicitly states that security updates are not immediately available. For IT teams managing fleets of Macs, that means a race against the clock with no official patch in hand.

The Vulnerability at a Glance

CVE-2026-45460 carries a CVSS score of 8.8, placing it firmly in the 'critical' category. Microsoft has classified the flaw as a remote code execution (RCE) vulnerability, triggered when a user opens a specially crafted file. While details remain sparse—as is standard practice during the early hours of a disclosure—the advisory confirms that exploitation requires user interaction, such as opening a malicious Office document. Attack complexity is rated low, meaning weaponization would not be difficult for a skilled adversary.

Affected products span Microsoft’s entire macOS Office portfolio: Office LTSC for Mac 2021, Office LTSC for Mac 2024, and the click-to-run Microsoft 365 for Mac. Notably, the advisory does not list any Windows versions, suggesting the bug resides in shared Mac-specific components—possibly the graphics rendering engine or sandboxing layer.

A Patch That Isn’t a Patch

Here’s the kicker: as of the advisory’s publication, Microsoft has not released a fix. The official Security Update Guide page for CVE-2026-45460 bluntly states: \"The security update is not available yet. Please check back.\" That’s an unusual move for a critical RCE, especially one that affects all current Mac Office editions. Typically, Microsoft synchronises its Patch Tuesday disclosures with the actual rollout of fixes. This public advisory sans patch suggests a last-minute testing failure, a supply chain hiccup, or a coordinated disclosure that fell out of sync.

Historical precedent offers little comfort. In 2023, Microsoft delayed a similar Office for Mac fix by three days after discovering a compatibility issue with macOS Ventura. If that timeline repeats, admins could be left exposed until June 12 or later. For organisations that rely on automated patch management, the delay introduces a maddening uncertainty: do you wait for the patch, or do you roll out mitigations that may disrupt user workflows?

Why This Delay Matters

The RCE label alone should raise red flags. Remote code execution vulnerabilities in Office are the bread and butter of advanced persistent threat groups. A weaponised document could land in an employee’s inbox, and if that employee opens it—without even enabling macros—the attacker could gain the same privileges as the user. In many corporate environments, that means access to sensitive files, network shares, and internal systems.

Mac users have historically been less targeted than their Windows counterparts, but that’s changing. The 2024 Mandiant M-Trends report noted a 40% year-over-year increase in macOS intrusions, driven largely by Office document lures. Adding fuel to the fire, Mac Office apps often run with fewer restrictions than their iOS counterparts, and enterprise deployment practices can inadvertently weaken sandbox protections. A patch delay of even 24 hours isn’t trivial—it’s an invitation to attackers who monitor CVE disclosures and reverse-engineer vulnerabilities within hours.

What Admins Can Do Right Now

With no official patch, the burden shifts to defensive measures. Here’s a practical playbook for Mac administrators:

1. Monitor the Advisory Like a Hawk

Bookmark the official CVE-2026-45460 page on the Microsoft Security Update Guide. Microsoft may release the update at any moment—often outside regular Patch Tuesday windows for critical flaws. Enable alerts via Microsoft’s RSS feed or a third-party monitoring service. Don’t rely on your existing patch management tool to notify you promptly; many tools check on a daily cycle, which could be too late.

2. Harden Office Documents

If you use Microsoft Defender for Office 365, enable the \"Block all Office applications from creating child processes\" Attack Surface Reduction rule. This prevents Office apps from spawning malicious executables, even if code execution is achieved. While not a silver bullet, it cuts off a common post-exploitation path.

For organisations without Defender, consider configuring AppLocker or a third-party EDR to restrict the execution of scripts and binaries from temporary directories commonly used by Office. On macOS, you can use spctl and csrutil to enforce Gatekeeper settings, but these do not prevent in-memory exploits.

3. Implement Network Isolation

If the risk outweighs productivity, isolate critical Mac endpoints from external networks—or at least block inbound and outbound SMB and RPC traffic, which are frequently abused in Office-based attacks. For mobile users, a VPN with strict split-tunnelling that blocks all non-essential traffic can reduce the attack surface.

4. Warn Users—Carefully

Send a terse, actionable notification to all Mac Office users. Avoid generic \"don't open suspicious attachments\" language; instead, instruct them to never open documents from external sources unless they’ve verified the sender through a separate channel. Provide a dedicated mailbox or hotline for reporting suspicious files. In high-security environments, consider temporarily disabling Office attachments in email until the patch arrives.

5. Validate Your Patch Process

When the fix does land, you’ll need to act fast. Confirm that your MDM solution (Jamf Pro, Intune, etc.) can deploy Microsoft AutoUpdate (MAU) packages promptly. Office LTSC for Mac updates typically arrive via the Microsoft Download Center or MAU; Microsoft 365 for Mac updates flow exclusively through MAU. Pre-stage installation scripts so you’re not scrambling at the last minute. Test deployment on a small batch of non-critical machines first—rushing a patch can break dependent workflows.

The Bigger Picture: Mac Office Patching Headaches

CVE-2026-45460 isn’t an isolated incident. It exposes a persistent pain point: Microsoft’s Mac Office patching infrastructure lags behind its Windows counterpart. While Windows updates are delivered through a mature, predictable channel (Windows Update, WSUS, Configuration Manager), Mac updates rely on a hodgepodge of MAU, Microsoft AutoUpdate 2.0, and occasionally manual downloads. For LTSC versions, which are licensed perpetually, the update cadence is even less predictable.

Organizations that adopted Office LTSC for Mac to avoid the rapid release cycle of Microsoft 365 now find themselves in a bind: they’re exposed to a critical vulnerability but can’t just flip a switch to get the latest code. Admins must weigh the delay against the possibility of switching affected users to the web versions of Word, Excel, and PowerPoint—a less-than-ideal stopgap that lacks full feature parity.

Microsoft’s advisory itself hints at internal friction. The FAQ section states, “Updates are not available for this vulnerability yet,” without offering a timeline or temporary mitigation. That’s a departure from recent high-profile bugs, where the company has at least suggested registry workarounds or configuration changes. The silence could indicate an especially stubborn engineering challenge, or it may reflect a deliberate choice to avoid giving attackers clues about the exploit mechanism.

A Timeline of Uncertainty

Looking at the calendar, June 9, 2026, was a Monday. Patch Tuesday would normally fall on June 10. It’s plausible that Microsoft intended to ship the fix alongside its regular monthly updates but pulled it at the last minute after discovering a bug. If that’s the case, a re-patched version could appear within 72 hours. But if the issue requires a more fundamental redesign—say, a rewrite of a parsing library—the wait could stretch into weeks.

In the meantime, the CVE details are public. That’s a double-edged sword: security researchers need the information to build defenses, but exploit developers can also use it to craft attacks. The window of exposure is now measured in hours, not days.

Alternatives and Workarounds Worth Exploring

For organizations that simply cannot accept the risk, consider these deeper mitigation strategies:

  • Disable All Mac Office Applications: An extreme measure, certainly, but if your users can switch to web-based Office apps (word.office.com), you effectively nullify the threat. Web apps execute in the browser sandbox and are not vulnerable to native code exploits. This approach works for knowledge workers who primarily edit documents, but it breaks for heavy Excel users with macros or Power BI integration.

  • Isolate Sensitive Workloads: If only a subset of your Mac users handle sensitive data, restrict those users to virtual desktop infrastructure (VDI) running Windows Office. That sounds counterintuitive, but a properly patched Windows Office deployment may be safer than a vulnerable Mac client. Citrix and Azure Virtual Desktop can deliver a seamless experience, albeit with added licensing costs.

  • Enhance Email Filtering: Most Office-based attacks arrive via email. Aggressively block attachments with Office file extensions (.docx, .xlsx, .pptx, .dotx) from external domains. Use Safe Links and Safe Attachments in Defender for Office 365 to detonate suspicious files in a sandbox. Fine-tune your rules to reduce false positives—you’ll thank yourself later.

The Fallout and Forward Path

When a patch finally emerges, the post-mortem will be ugly. CISOs will ask why Microsoft couldn’t deliver a fix alongside its disclosure. Mac admins will question whether they can trust Microsoft’s release process for critical updates. And the security community will analyze the exploit to gauge just how close we came to a mass exploitation event.

In the months ahead, expect Microsoft to revise its Mac Office update mechanisms. The company has been slowly unifying its update stack under the Microsoft AutoUpdate umbrella, but CVE-2026-45460 will likely accelerate that effort. A single, reliable delivery channel for all Office for Mac editions would prevent the fragmentation that makes patching delays so painful.

For now, admins must remain vigilant. Check Microsoft’s advisory page twice daily. Have your deployment scripts ready. And hope that the delay is measured in hours, not days. Because the alternative—a critical RCE hanging over your Mac fleet with no fix in sight—is a nightmare no IT team wants to endure.