Microsoft has assigned CVE-2026-45463 to a Microsoft Office vulnerability, labeling it a remote code execution (RCE) flaw. Open the advisory, however, and the CVSS vector reads AV:L – an attack vector of Local. For many security practitioners, this looks like a contradiction. How can a vulnerability be “remote” in its title but “local” in its score? The confusion is understandable, but it rests on a critical distinction: vulnerability titles describe the threat actor’s position relative to the victim, while CVSS attack vectors describe the position relative to the vulnerable component. This misunderstanding can mislead patch triage, so let’s unpack why a CVE like this one earns both labels – and what that means for your defenses.

The CVSS Attack Vector: More Than Geography

CVSS v3.1 defines four attack vectors: Network (N), Adjacent (A), Local (L), and Physical (P). Many assume Network means “from the internet” and Local means “on the same machine,” but the spec is precise. Network requires a vulnerability that can be exploited over OSI layers 1–3 – think a network protocol flaw like EternalBlue. Adjacent is for attacks limited to the same logical or physical network, such as ARP spoofing. Physical means the attacker must physically manipulate the device. Local, the trickiest of the four, is defined as an attack where the vulnerable component is not bound to the network stack and the attacker’s path relies on local access – typically via user interaction, a local file, or a logged-on session.

That last point is key. If an attacker needs the victim to open a file, click a link, or mount a SharePoint library, the attack vector is Local, even if that file arrived over the internet. The exploit itself does not traverse a network protocol; it targets a local application through a file already present on disk or in memory. This is precisely the pattern for nearly every Office RCE in modern memory – including CVE-2026-45463.

The Anatomy of an Office RCE

Office RCEs depend on malformed documents. An attacker crafts a .docx, .rtf, or .xls file that exploits a parsing bug in the Office suite. This document is delivered via email, a compromised website, or a USB stick. When the victim opens it, Office’s input handling triggers memory corruption, allowing the attacker to run arbitrary code under the user’s privileges. The remote part? The attacker never needs physical proximity; they can be continents away. The attack chain is remote delivery plus local exploitation.

CVE-2026-45463 follows this blueprint. While Microsoft’s advisory does not yet disclose technical details, the CVSS metrics table tells us everything we need to know. The vector will almost certainly include PR:N (no privileges required) and UI:R (user interaction required). That UI:R requirement – the victim must open or preview the file – is the pivot point. Because the victim performs a local action, CVSS treats the entire exploitation as Local. The initial file transfer over SMTP, HTTP, or SMB is out of scope for the vector calculation.

Remote vs. Local: A Tale of Two Definitions

The term “remote code execution” in a CVE title comes from NIST’s National Vulnerability Database (NVD) classification, which itself follows Microsoft’s own severity rating. For Microsoft, a vulnerability is “remote” if an attacker can trigger it from a different host – i.e., without local console access. By that definition, an email-borne Office exploit is unequivocally remote. The CVSS vector, however, is built from the ground up to measure the difficulty of exploiting the vulnerable component in isolation. FIRST, the CVSS custodian, explicitly warns users not to confuse the two perspectives.

This dual-language creates real-world consequences. SOC analysts scanning headlines might deprioritize a CVE with a Local vector as “not internet-facing,” missing the fact that it can be launched from halfway across the world. Conversely, a truly network-exploitable vulnerability with a Network vector but a low score might be overplayed. Security teams must read both the title and the complete vector string – especially the User Interaction and Privileges Required components – to judge exploitability.

CVE-2026-45463 Under the Magnifying Glass

At the time of writing, Microsoft has published the advisory but not yet the full technical analysis. Based on historical Office RCEs such as CVE-2017-11882 (Equation Editor), CVE-2021-40444 (MSHTML), and CVE-2023-36884 (Browser Helper), we can infer the following about CVE-2026-45463:

  • The vulnerability likely resides in a core Office library or a legacy component like the Equation Editor or MSGraph.
  • Exploitation requires the user to open a malicious document, possibly with Protected View bypass.
  • Attack complexity is probably low, as most parser flaws are consistently triggerable.
  • The impact is highly context-dependent: on endpoints with standard user privileges, the attacker gains code execution in that user’s session; on servers running Office automation, the blast radius widens.

The CVSS base score for CVE-2026-45463 will land in the high 7.x to low 8.x range – typical for a Local vector with low complexity and no privilege escalation. The exact score matters less than the fact that the vulnerability is already under active exploit, per Microsoft’s Exploitability Index. This “1 – Exploitation More Likely” rating is a far stronger triage signal than the vector alone.

Why This Matters for Patch Triage

Patch management teams often sort CVE advisories by CVSS base score. A “Local” vector can artificially lower a score compared to “Network,” even when the attack surface is identical in practice. For Office RCEs, the initial access vector is email, the highest-volume threat channel. Treating CVE-2026-45463 as a “local issue” because of its vector risks delaying a patch that would inoculate against a common phishing attachment payload.

Microsoft’s Security Response Center has acknowledged this friction. In 2018, they announced that for Office vulnerabilities, the CVSS temporal score would often be set to “High” regardless of the base vector, precisely because real-world exploitability depends more on the delivery mechanism than on the technical attack vector. This nuance is lost in automated scanning tools that surface only the base score.

A better triage model is to map the CVE to the attack pattern it enables. CVE-2026-45463 enables an email-borne code execution chain. That places it in the same risk category as a browser zero‑day delivered via a watering hole – both rely on user interaction, both originate remotely, and both demand the same patching urgency. If your organization has a policy that treats “critical” browser RCEs as top priority, then the same priority should apply to this Office RCE, regardless of its CVSS vector.

How Defenders Should Respond

First, apply the patch. The security update for CVE-2026-45463 addresses the underlying parsing flaw, so no configuration change can substitute for the fix. If the patch cannot be deployed immediately, Microsoft provides mitigation steps in the advisory, such as disabling the specific Office component or enabling the Attack Surface Reduction rule “Block all Office applications from creating child processes.” These mitigations are stopgaps, not permanent solutions.

Second, update your phishing detection rules. Since the delivery of the malicious document is a Smtp-borne attack, advanced threat filters should be tuned to detect the specific Indicators of Compromise (IOCs) Microsoft publishes. The advisory will likely include file hashes and network signatures once threat intelligence is available.

Third, audit Office macro and add-in settings. Even though CVE-2026-45463 does not require macros, many similar Office exploits are chained with macro-based downloads. Ensuring that macros are disabled for untrusted sources reduces the overall attack surface.

Finally, use this CVE as a training moment for your security operations center. Ensure every analyst understands that CVSS attack vector is not a proxy for “remoteness” in the threat actor’s sense. A Local vector with user interaction and low complexity can be just as dangerous as a Network vector – sometimes more so, because it may be dismissed.

Historical Echoes: 2017’s CVE-2017-11882 and the Lesson Unlearned

The confusion around CVE-2026-45463 is not new. CVE-2017-11882, the infamous Equation Editor RCE, carried a CVSS vector of AV:L/AC:L/PR:N/UI:R – same Local, Low Complexity, No Privilege, User Interaction. Yet it was exploited in hundreds of campaigns for years, often as the payload of choice for commodity malware families like Lokibot. The vector did nothing to slow its proliferation; the delivery mechanism – email – was all that mattered.

A 2019 study by Randori found that 67% of security professionals misclassified vulnerabilities when shown only the CVSS vector string, systematically underestimating the severity of User Interaction‑required flaws. This cognitive bias persists, and CVE-2026-45463 will likely be a fresh test of whether organizations have bridged the gap between textbook scoring and operational reality.

The Bottom Line

CVE-2026-45463 is an Office RCE. The attack vector is Local, but the attacker is remote. Those two statements are not contradictory; they describe different layers of the kill chain. The patch is urgent because the vulnerability is already under exploitation, not because of a three‑letter CVSS code. When triaging, look beyond the vector to the exploitation context: how does the attacker deliver the payload? What user actions are needed? How quickly are real-world campaigns weaponizing it? The answers to these questions will keep your prioritization accurate – and your organization safe.