Microsoft’s latest Office patch addresses a critical vulnerability that carries an eyebrow-raising mix of labels. CVE-2026-45645 is officially a remote code execution (RCE) flaw, yet the Common Vulnerability Scoring System (CVSS) vector attached to it begins with AV:L—attack vector: local. The seeming contradiction has sparked questions among IT administrators and security analysts. How can a vulnerability be both remote and local, and why does the nomenclature matter for real-world defense?

The advisory, released as part of the regular Patch Tuesday cycle, affects multiple supported editions of Microsoft Office. It warns that an attacker who successfully exploits the flaw can run arbitrary code in the context of the current user. The catch? Exploitation hinges on user interaction—typically opening a specially crafted document. This is where the local vector enters the picture. The weakness does not traverse a network on its own; it requires a local trigger, such as a malicious Word file sitting in an email attachment or a shared folder.

Parsing the CVSS String: AV:L Is Not a Typo

At first glance, RCE vulnerabilities evoke images of network worms and drive-by browser attacks. The CVSS specification, however, draws a clear line between the attack vector and the impact. The attack vector (AV) describes the context by which an attacker reaches the vulnerable component. AV:N means the attack can be launched over a network with no prior access. AV:L, on the other hand, signifies that the attacker must either have physical access to the target machine or rely on user interaction to load or execute the malicious payload.

CVE-2026-45645’s full CVSS vector string likely resembles: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Let’s break down what that means:

  • AV:L – Attack Vector: Local. Exploitation requires a local presence, which in the context of Office translates to a user opening a file.
  • AC:L – Attack Complexity: Low. No special conditions or preparation are needed once the file is opened.
  • PR:N – Privileges Required: None. The attacker does not need to be authenticated.
  • UI:R – User Interaction: Required. The victim must take some action, such as clicking a file or enabling content.
  • S:U – Scope: Unchanged. The vulnerable component and the impacted component are the same resource.
  • C:H/I:H/A:H – Confidentiality, Integrity, Availability impacts are all High. A successful attack can completely compromise system security.

With UI:R and AV:L, the vulnerability essentially bakes social engineering into its exploitation chain. The “remote” part of remote code execution refers to the capability of the attacker to run code on the target from an external location, even though the initial contact point requires local mediation.

Why Microsoft Still Calls It Remote Code Execution

This classification is not a mistake or marketing spin. The Common Vulnerabilities and Exposures (CVE) program and software vendors have long used “remote code execution” to describe the worst-case outcome. The term highlights the nature of the compromise: an attacker can execute arbitrary commands on the victim’s machine without needing prior access beyond tricking the user into performing a routine action. The fact that the user must first save and open a document does not diminish the remote origin of the threat. Malicious files typically arrive via email, cloud links, or websites—all remote channels.

The alternative would be to label the flaw as “local code execution,” which would incorrectly imply the attacker already has a foothold on the system. By keeping RCE in the title, Microsoft ensures the vulnerability receives the urgency it deserves in patch prioritisation frameworks.

The Anatomy of a Modern Office Exploit

While Microsoft has not published the technical details of CVE-2026-45645 (to protect unpatched systems), historical Office RCEs offer a blueprint. They often stem from:

  • Memory corruption errors in parsers for legacy formats (such as .doc or .xls).
  • Scripting engine vulnerabilities that mishandle embedded ActiveX controls or VBA macros.
  • Edge-to-Internet Explorer bridging flaws that allow web content to invoke Office components.
  • Sandbox escape bugs in Protected View, which let malicious code break out of the restricted execution environment.

In many cases, the exploit document can be disguised as a résumé, invoice, or urgent legal notice. When opened, it triggers a chain that may involve heap sprays, return-oriented programming (ROP), or use-after-free conditions to gain code execution. Because the payload runs with the user’s privileges, the attacker can install malware, exfiltrate data, or move laterally within a network.

CVE-2026-45645 likely fits this pattern. The advisory notes that customers who follow best practices—such as disabling macros from the internet and opening untrusted files in Protected View—are at reduced risk. This aligns with a UI:R vector: the attack is blunted if users exercise caution or if policy settings block active content by default.

Microsoft’s Defense-in-Depth Mitigations

Over the past several years, Microsoft has hardened Office against document-based attacks. Features like:

  • Protected View (which opens files in a sandboxed, read-only mode),
  • Attack Surface Reduction (ASR) rules in Microsoft Defender for Endpoint,
  • Office policy settings to block macros and OLE packages from the internet,
  • Application Guard for Office (which isolates documents in a Hyper-V container),

have all contributed to making exploitation of these vulnerabilities significantly harder. The fact that CVE-2026-45645 still warrants a critical rating underscores the sophistication of modern exploit techniques and the continuous cat-and-mouse game between security researchers and attackers.

The advisory emphasises that users of Microsoft 365 Apps (the click-to-run version) receive automatic updates, which reduces the window of exposure. On-premises versions of Office 2024 and Office LTSC may require manual patching.

Practical Steps for IT Teams

Organisations should treat any RCE in Office as a high-priority update. Here are immediate actions:

  1. Apply the patch. For Microsoft 365, updates are typically downloaded and installed within days. For volume-licensed products, deploy the update through Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager.
  2. Audit macro settings. Enforce “Block all macros except digitally signed macros” and use the Office cloud policy service to manage settings across tenants.
  3. Enable ASR rules. The rule “Block Office applications from creating executable content” and similar can be deployed to break common infection chains.
  4. Educate users. Even with technical controls, phishing remains the primary delivery method. Regular training helps staff recognise suspicious attachments.
  5. Monitor for exploitation. Use endpoint detection and response (EDR) tools to watch for unusual Office child processes (e.g., Office spawning PowerShell or wmic.exe).

Broader Implications for Vulnerability Scoring

The AV:L/RCE discussion highlights a longstanding ambiguity in security metrics. CVSS is designed to capture technical severity, but the attack vector alone can be misleading without understanding the context. Many of the most devastating real-world breaches have begun with a local-vector vulnerability chained with social engineering. Notable examples include the Dridex banking trojan and Emotet, which heavily relied on maldocs.

Some in the security community advocate for a more expressive categorisation that separates initial access from impact. Initiatives like the Exploit Prediction Scoring System (EPSS) and the CISA Known Exploited Vulnerabilities catalogue aim to complement CVSS by indicating whether a flaw is being actively used in the wild. For now, the onus is on defenders to read beyond the label and examine the vector string and Microsoft’s exploitability index.

What CVE-2026-45645 Means Going Forward

This vulnerability serves as a reminder that even perfectly patched networks can be compromised if a single user opens the wrong file. As Microsoft continues to integrate Office with cloud services, the attack surface evolves. Links to SharePoint, OneDrive, and Teams open new avenues for delivering malicious content that still ultimately requires a user’s click.

The patch for CVE-2026-45645 is a critical stopgap, but the underlying paradigm of document-based attacks isn’t going away. Future Office versions may introduce even more aggressive sandboxing or machine-learning-based runtime detection to neutralise such threats before code execution occurs.

For now, system administrators should patch immediately, double-check their Office security baselines, and keep a close eye on any threat intelligence feeds that may reveal active exploitation patterns. The “remote” in remote code execution may be technically nuanced, but the danger it represents is unequivocal.