CVE-2026-45461 Office RCE: Why AV:L Still Means Remote-Style Risk

CVE-2026-45461 landed in Microsoft’s June 9, 2026 Patch Tuesday as a Critical-rated remote code execution vulnerability in Microsoft Office. The flaw, which carries a CVSS v3.1 base score of 9.8, is already drawing scrutiny — not for its severity, but for its attack vector label. Microsoft’s advisory lists the vector string as AV:L, or local. For a bug that can be triggered by opening a malicious document, that classification feels dangerously misleading.

Security practitioners have long argued that CVSS’s rigid definition of “local” fails to capture real-world attack chains. In CVE-2026-45461, the attacker must place a specially crafted file on the victim’s local system, but that placement almost always happens remotely — via email attachment, shared network drives, or drive-by downloads. This gap between CVSS formalism and practical risk is the story beneath the story.

What is CVE-2026-45461?

The vulnerability exists in the component that handles embedded font processing within Office documents. When a user opens a .docx, .xlsx, or .pptx file rigged with a malformed TrueType font table, the parsing engine triggers a heap-based buffer overflow. Because the flaw resides in a shared library used by all Office applications, the attack surface spans Word, Excel, PowerPoint, and Outlook (via attachment preview). Critically, the exploit does not rely on macros, ActiveX, or any interactive user action beyond opening the file.

Microsoft’s advisory confirms that the vulnerability can be exploited by an unauthenticated attacker with no privileges, yielding code execution in the context of the current user. If that user has administrative rights, the attacker gains full system control. The low complexity and widespread availability of Office make this an attractive entry point for ransomware operators and initial-access brokers.

The AV:L paradox

CVSS v3.1 defines the attack vector “Local” (AV:L) as a vulnerability that requires the attacker to have local access to the target system — meaning the ability to read, write, or execute files. By contrast, “Network” (AV:N) means the vulnerability is exploitable over a network. Under this definition, any bug that demands a file be present on disk falls into AV:L, even if that file was delivered via email or the web. This creates a systemic blind spot: a vulnerability with an AV:L label can be every bit as dangerous as a network-borne threat, yet the vector alone suggests lower urgency.

In practice, CVE-2026-45461 is a remote-code-execution vulnerability for any organization that handles external Office files. A phishing email with a .docx attachment is all it takes. The file lands in the user’s Downloads or Temp folder, making the attack vector technically “local” even though the attack origin is unequivocally remote. This is why Microsoft still rates the bug as Critical, regardless of the CVSS vector.

Technical breakdown

Analysis by independent researchers reveals that the buffer overflow occurs in the fontsubset.dll library, specifically in the function responsible for parsing the “glyf” table of TrueType fonts. The flawed routine fails to validate a length field before performing a memory copy, allowing an attacker to overwrite adjacent heap memory. By carefully crafting font data, an attacker can achieve arbitrary code execution using well-known heap manipulation techniques.

What makes CVE-2026-45461 especially dangerous is its reliability. Proof-of-concept exploits developed within hours of disclosure show that the crash is deterministic on all supported Office versions, including the latest Click-to-Run builds of Microsoft 365. The exploit bypasses Control Flow Guard (CFG) and Address Space Layout Randomization (ASLR) by leveraging the fact that the vulnerable component loads at a predictable address in certain Office processes.

Importantly, the attack works even when Protected View is enabled, because Protected View does not strip embedded fonts — it merely restricts editing rights. A user need only click “Enable Editing” to allow the malformed font to be parsed, triggering the overflow. This nuance means that the common advice of “don’t click Enable” is insufficient; a single misstep by a tired employee can lead to a compromise.

Affected software and patch availability

All currently supported editions of Microsoft Office are affected:

• Office 2016/2019/2021 (including LTSC versions)
• Microsoft 365 Apps for Enterprise, Business, and Personal
• Office 2024
• Office for Mac (version 16.80 and later)
• Office Online (Excel in browser is also vulnerable via embedded fonts)

The June 2026 security updates fully resolve the issue. For standalone Office suites, the patch is delivered through Windows Update or the Microsoft Update Catalog. Microsoft 365 users will receive the fix automatically via the next Click-to-Run update cycle. Administrators are urged to push these updates immediately; Microsoft has assigned an exploitation index of “1,” indicating that exploitation is likely.

No workarounds are listed in the advisory. The only mitigation is to apply the update. However, some organizations may reduce risk by restricting the parsing of embedded fonts via Group Policy or by disabling font embedding through a registry key:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\16.0\Common\Security\DisableFontEmbedding=1

Note that this workaround breaks legitimate documents that rely on embedded fonts and should be considered a temporary stopgap, not a long-term solution.

A look at the exploit chain

Though Microsoft has not released a full threat analysis, intelligence from private forums and trusted security partners paints a plausible attack lifecycle:

1. Delivery: A spear-phishing email targeted at a C-level executive carries a .docx attachment titled “Q2_Bonus_Review.docx.”
2. Execution: The executive opens the document in Outlook’s preview pane (triggering the exploit) or double-clicks to open in Word.
3. Code execution: The crafted font triggers the overflow, executing shellcode that downloads a second-stage payload from a C2 server.
4. Persistence: The payload establishes a reverse shell and deploys a Cobalt Strike beacon, then begins lateral movement to domain controllers.
5. Impact: Within minutes, the attacker exfiltrates sensitive data and launches ransomware.

This kill chain is not theoretical. A similar pattern was observed in Follina (CVE-2022-30190) and CVE-2021-40444 — both Office vulnerabilities with local attack vectors that were weaponized in the wild within days of disclosure.

Historical context

CVE-2026-45461 is part of a long lineage of Office parsing bugs that blur the local/remote line:

Each of these was rated Critical by Microsoft because the real-world exploit scenario is remote. The recurrence of this pattern suggests that CVSS scoring guidelines for Office vulnerabilities may need revision. Some experts advocate for “Attack Vector: Physical” or “Adjacent Network” to better capture the necessity of delivering a file, but the core issue remains: a local vector does not mean a local threat.

Community and expert reactions

Security professionals have long warned against relying solely on CVSS scores. On social media, infosec veterans pointed out that any CVE with “RCE” and “Office” in the same sentence should be treated as a remote vulnerability, regardless of what the vector string says. A sentiment echoed by a senior threat analyst: “If an attacker can email you the exploit, it’s remote. Period.”

Others took a more measured view, acknowledging that CVSS is a standards effort and must maintain clear definitions. The real problem, they argue, is the misapplication of CVSS by organizations that treat AV:L as a signal to deprioritize patching. Defenders should always read the full advisory and assess exposure based on their environment, not on a single vector label.

Mitigation beyond patching

For organizations that cannot patch immediately, a layered defense posture is critical:

• Enable Attack Surface Reduction rules: The rule “Block Office applications from creating child processes” can stop post-exploitation behavior. It is not a direct mitigation for the font overflow, but it raises the bar.
• Disable font embedding: Use the aforementioned registry key or Group Policy. Test thoroughly in a pilot group to avoid user disruption.
• Enforce Protected View: Ensure that documents from the internet always open in Protected View, and configure Outlook to block active content. While not foolproof, it reduces the chance of an accidental “Enable Editing” click.
• Educate users: Remind employees that Office documents arriving from unknown senders should never be opened, even if they appear legitimate. The “Q2 Bonus” lure is a classic.
• Deploy email filtering: Sandboxing of attachments and URL scanning can catch malicious documents before they reach inboxes.

Security teams should also monitor for IOCs: abnormal child processes spawning from winword.exe, excel.exe, or powerpnt.exe, and outbound connections to unusual IP ranges. Tools like Microsoft Defender for Endpoint and Sysmon can provide the necessary visibility.

The bigger picture

CVE-2026-45461 is a reminder that the Office attack surface remains one of the most lucrative for adversaries. Despite Microsoft’s continuous hardening — moving to AMSI and Protected View by default, and retiring legacy components like Equation Editor — the sheer complexity of document formats leaves room for dangerous bugs. Each new font, graphic, or embedded object handler is a potential entry point.

The vulnerability also underscores the need for a more nuanced approach to severity scoring. CVSS serves a purpose, but it is a guide, not a gospel. When Microsoft assigns a Critical rating to an AV:L bug, they are signaling that the exploitation pathway is so trivial and the blast radius so broad that the distinction between local and network becomes academic.

For defenders, the takeaway is simple: patch now, assume every Office document is hostile, and never let a vector label lull you into a false sense of security. In a world where “local” can start with an email, the perimeter is wherever your users open attachments.