Microsoft has disclosed a new vulnerability in Microsoft Word, tracked as CVE-2026-45486, and classified it as a Remote Code Execution (RCE) flaw. At first glance, this classification appears to conflict with the assigned CVSS vector, which lists the attack vector as Local (AV:L). The apparent mismatch raises questions: How can a vulnerability be triggered locally yet pose a remote threat? The answer lies in understanding the mechanics of document-based exploits, the nuances of CVSS scoring, and the attack chain that makes such a flaw dangerous in real-world scenarios.

Understanding CVSS Attack Vectors

The Common Vulnerability Scoring System (CVSS) is an industry-standard framework for assessing the severity of security vulnerabilities. One of its fundamental components is the Attack Vector metric, which describes how an attacker can exploit a vulnerability. The possible values for AV are:

  • Network (AV:N): The vulnerability can be exploited remotely over a network layer, such as a remote buffer overflow in a network service.
  • Adjacent Network (AV:A): The attacker must be on the same physical or logical network segment, such as a Bluetooth or Wi-Fi attack.
  • Local (AV:L): The attacker must have local access to the system, either physically or via a local account. Exploitation often requires the victim to perform an action, like opening a file or executing a command.
  • Physical (AV:P): The attacker needs physical access to the device, such as plugging in a malicious USB device.

A vulnerability with AV:L typically means that the exploit cannot be triggered by a purely remote network request alone. However, this does not mean the attack cannot originate from a remote actor. In the context of Microsoft Word, the local attack vector reflects the fact that the vulnerability lies in the document-parsing engine—the user must open a malicious document for the exploit to fire. The attacker, however, can deliver that document from the other side of the internet.

The Anatomy of a Word-Based Attack

Microsoft Word vulnerabilities that lead to code execution almost always follow a similar pattern. An attacker crafts a specially formatted document (typically .doc, .docx, or .rtf) containing exploit code designed to corrupt memory or otherwise trigger unintended behavior in Word's parsing routines. This document is then delivered to the target—often via email attachment, a link in a phishing message, or a compromised website.

When the victim opens the document, Word processes the malformed content, causing a crash or—if the exploit is successful—hijacking the program's execution flow to run arbitrary code. That code can download additional malware, steal credentials, or establish persistence on the system. The critical point is that the actual exploitation happens on the victim's machine, requiring minimal user interaction (opening the file). Since the vulnerable component is a locally installed application, CVSS rightfully assigns AV:L. But the initial access vector is clearly remote—the document came from an external source.

This distinction is central to why Microsoft classifies such flaws as Remote Code Execution. The company's security bulletins traditionally categorize vulnerabilities based on the attacker's potential reach. If an attacker can achieve code execution on a target without prior authentication or physical access, even if they need to trick the user into performing an action, it is labeled RCE. This aligns with how administrators and users perceive risk: an email-borne threat that hijacks Word is very much a remote attack.

Microsoft's Classification vs. CVSS: Historical Context

The tension between Microsoft's RCE classification and CVSS AV:L is not new. Several landmark Word and Office vulnerabilities have carried the same label, despite local vectors. Notable examples include:

  • CVE-2017-11882: A memory corruption flaw in the Equation Editor component. Its CVSS vector initially read AV:L, yet it became one of the most widely exploited Office vulnerabilities for years, used in countless phishing campaigns.
  • CVE-2018-0802: Another Equation Editor issue, also AV:L, patched alongside CVE-2017-11882. Attackers chained these vulnerabilities to bypass security mitigations.
  • CVE-2020-0852: A Word RCE that required user interaction but allowed attackers to run code in the context of the current user.

In each case, the vulnerability's exploitation required the victim to open a document, making it locally triggered. But the reality is that no attacker would sit down at the victim's keyboard; the document was the delivery vehicle. Microsoft's bulletins consistently called these RCE vulnerabilities, while CVSS scoring often assigned AV:L. This discrepancy stems from CVSS's strict focus on the vulnerability's immediate prerequisites—what must happen for the software flaw itself to be triggered—rather than the broader attack chain. CVSS defines AV:L unambiguously: if the vulnerable component is not network-facing and exploitation cannot occur without local action, it is local. Microsoft, however, prioritizes the outcome: if code can be run remotely via a document, it's remote.

Why CVSS AV:L Does Not Lower the Real-World Risk

A common misconception is that AV:L vulnerabilities are less dangerous than their AV:N counterparts because they require user interaction. In practice, for Microsoft Word flaws, that interaction is minimal—simply opening a document. Moreover, social engineering techniques make it trivial for attackers to persuade users to open seemingly legitimate files. Phishing emails disguised as invoices, resumes, or urgent notifications are incredibly effective. A well-crafted lure can achieve high open rates, transforming a "local" vulnerability into a mass exploitation campaign.

Additionally, CVSS base scores can be misleading when taken out of context. While the base score for AV:L vulnerabilities is often lower (since the metric reduces the overall severity), the Temporal and Environmental score groups can increase the rating when a working exploit is publicly available or the vulnerability is widely targeted. Security researchers and IT administrators should consider the entire picture: a Word RCE with AV:L and a CVSS base score of 7.8 may be more dangerous in practice than a network-service vulnerability with a base score of 9.8 if the Word flaw is being actively exploited in the wild and the service is only exposed internally.

Microsoft often includes mitigation factors in its advisories, noting that the Preview Pane is an attack vector in some cases, or that users with reduced privileges face lower impact. For CVE-2026-45486, details are still emerging, but typical mitigations include:

  • The document must be opened in an affected version of Word; simply viewing a file in a preview mode may or may not trigger the vulnerability.
  • Protected View, which opens files from untrusted sources in a sandboxed environment, can significantly reduce risk.
  • Attackers must overcome Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) protections, although modern exploits often chain multiple bugs to do so.

These factors do not change the fundamental threat: a malicious document can lead to system compromise, and the attacker does not need an existing foothold on the network.

The Attack Chain: From Email to Code Execution

To fully grasp why AV:L does not mean the attacker is local, consider the typical kill chain:

  1. Delivery: The attacker sends a phishing email with a weaponized document attached or a link to a shared file.
  2. User interaction: The victim downloads and opens the document. Word processes the file.
  3. Exploitation: The malformed content triggers the vulnerability, corrupting memory and hijacking control flow.
  4. Payload execution: The exploit runs shellcode that downloads and executes a malware implant, such as a Remote Access Trojan (RAT).
  5. Persistence and lateral movement: The attacker gains a foothold, escalates privileges, and moves across the network.

While step 3 occurs locally, steps 1, 4, and 5 are inherently remote. The entire sequence is orchestrated by a remote adversary. Labeling this as a local vulnerability because the exploit fires inside a local application is technically accurate but practically misleading. CVE-2026-45486 follows this same blueprint: the CVSS vector may read AV:L, but the origin of the threat is undeniably remote.

Patching and Protection Strategies

Microsoft has released a security update addressing CVE-2026-45486. Users are strongly advised to apply the patch immediately through Windows Update or the Microsoft Update Catalog. For organizations using Microsoft 365, the update will roll out as part of the regular update cadence. Specific Knowledge Base (KB) article numbers and affected build versions have not been disclosed in the initial advisory summary, but they will be available in the full CVE entry on the Microsoft Security Response Center (MSRC) portal.

Beyond patching, defense-in-depth measures reduce exposure:

  • Enable Protected View: Ensure that documents from the internet open in this read-only sandbox by default.
  • Disable ActiveX controls and macros: Configure Group Policy to block execution unless explicitly trusted.
  • Use email filters: Train spam and phishing filters to catch common document-based threats.
  • Educate users: Remind employees to scrutinize unexpected attachments, even from known contacts.
  • Deploy endpoint detection and response (EDR): Modern EDR solutions can detect exploitation patterns and post-exploit behaviors, blocking attackers before they establish a foothold.

It is also worth noting that Microsoft frequently improves the security architecture of Office applications. Features like Application Guard for Office open untrusted documents in an isolated Hyper-V container, preventing compromise of the host operating system. While not a substitute for patching, these controls provide another layer of defense against zero-day and unpatched vulnerabilities.

What the Cybersecurity Community Is Saying

The disclosure of CVE-2026-45486 has reignited discussions in security forums about the usefulness of CVSS for client-side vulnerabilities. Some experts argue that AV:L should be reserved for situations where the attacker truly has local access—such as a logged-in user with a shell—while a new category or clearer guidelines are needed for document-based exploits. Others point out that CVSS is a base scoring system meant to be supplemented with environmental context; the onus is on organizations to adjust scores based on their own risk posture.

The reality is that Word RCEs remain a favored tool in both cybercriminal and advanced persistent threat (APT) campaigns. The low barrier to delivery, combined with the high value of compromised endpoints, makes them attractive despite any required user interaction. As long as humans can be convinced to click, these vulnerabilities will be exploited.

The Bottom Line

CVE-2026-45486 exemplifies the sometimes confusing divide between vulnerability scoring and real-world attack scenarios. Microsoft's classification as Remote Code Execution is accurate from a threat perspective: an attacker anywhere on the internet can gain control of your system if you open a malicious document. The CVSS AV:L rating correctly captures the exploitation prerequisite—the document must be processed locally—but must be interpreted with an understanding of modern attack chains.

Administrators should treat all Microsoft Office RCE vulnerabilities as urgent, regardless of the adjacent CVSS metric. The patch for CVE-2026-45486 should be prioritized alongside any other critical updates. In the arms race between defenders and attackers, timely patching remains the single most effective defense. Ignoring a "local" Word vulnerability because the CVSS vector suggests limited reach is a dangerous oversight—one that phishers and malware authors are counting on.