A new Microsoft Word vulnerability, tracked as CVE-2026-45471, has ignited a fresh debate in security circles—not over the flaw’s severity, but over the meaning of a single word. Microsoft’s advisory labels the issue a remote code execution (RCE) vulnerability, yet the accompanying Common Vulnerability Scoring System (CVSS) string lists the attack vector as Local (AV:L). This isn’t a contradiction; it’s a collision of two different ways to describe threats, and it’s confusing security teams worldwide.

For years, security professionals have struggled with the gap between how vendors categorize vulnerabilities and how CVSS quantifies them. CVE-2026-45471 is the latest, and perhaps clearest, example of why understanding this gap matters. If you look only at the CVSS score, you might dismiss the vulnerability as low risk if you think “local” means the attacker needs physical access. But Microsoft’s “remote” label screams a different story. Which one should you trust? The answer requires a deep dive into both systems, and what they’re actually measuring.

What CVE-2026-45471 Actually Does

Details remain limited, but the advisory indicates that a specially crafted Word document can trigger memory corruption when opened, allowing an attacker to execute arbitrary code in the context of the current user. The attack scenario is classic: a user receives a malicious .docx file via email or download, opens it, and the code runs. No interaction beyond opening the file is needed. In traditional threat modeling, this is a “remote” attack because the attacker crafts the payload from across the internet. The victim never hands over their laptop.

But here’s the twist: the CVSS v3.1 vector attached to the CVE shows AV:L (Attack Vector: Local). That designation, according to the official CVSS specification, means “the vulnerable component is not bound to the network stack and the attacker’s path is via read/write/execute capabilities.” In layman’s terms, the attacker must either have physical access to the machine or rely on the user to perform a local action—like opening a file. Yet the same vector also includes a high Confidentiality, Integrity, and Availability impact, with a base score of 7.8 out of 10. That’s firmly in the High severity range, not Medium.

CVSS Attack Vector: It’s Not About Where the Attacker Sits

The confusion stems from a fundamental misconception: the CVSS Attack Vector metric doesn’t describe the attacker’s geographical location. It describes the context of the vulnerability exploitation. The CVSS user guide explicitly states that if the vulnerability can be exploited only by a user opening a file or clicking a link, the Attack Vector is Local, regardless of where that file originated. Network (AV:N) means the vulnerability is “exploitable via network access” without user interaction—think of a wormable flaw in a service listening on a port. If user interaction is required, it’s typically scored as Local unless the vulnerability can be exploited across network boundaries in some automated way.

Thus, a Word document vulnerability almost always gets AV:L because the attack mechanism requires the user to launch the document locally. The fact that the document came from a remote source doesn’t change the vector. The CVSS group made this distinction to differentiate vulnerabilities that can be exploited en masse with no user involvement from those that rely on social engineering or local execution. It’s a blunt instrument, and it often leads to scores that don’t match intuitive risk perceptions.

Microsoft’s Classification: Focus on the Attacker’s Reach

Microsoft’s security response team has long used “remote code execution” as a top-level category for any vulnerability where an attacker can execute code from outside the target’s immediate physical perimeter. In their monthly Security Update Guide, RCE issues encompass everything from drive-by browser exploits to Office macros. The logic is simple: if the attacker can deliver the payload over a network, even with user interaction, it’s “remote.” They reserve “local” classifications for vulnerabilities that require pre-existing access—such as logged-in console or authenticated session on the machine.

This terminology shapes how IT administrators prioritize patches. When they see “Remote Code Execution” in a Microsoft advisory, they know the vulnerability could potentially lead to a system compromise from an internet-based attack, even if user interaction is needed. The CVSS score might drop to 7.8 because of the Local vector, but Microsoft’s own severity rating—often listed as “Important” or “Critical”—further guides action. In the case of CVE-2026-45471, Microsoft has marked it as “Important,” aligning more with the real-world risk of weaponized phishing campaigns than with a purely physical threat.

Why the Disconnect Hurts Security Operations

Organizations that rely solely on CVSS scores to prioritize patching can make dangerous mistakes. A CVSS base score of 7.8 with AV:L might be filtered out when security tools or policies ignore all “Local” vulnerabilities, assuming they require physical access. Yet CVE-2026-45471 can be trivially turned into a mass attack via email attachments. Many security scanning tools and vulnerability management platforms use CVSS scores as the primary triage metric. If they misclassify the actual threat posture, patches for such flaws may be delayed.

This isn’t just theoretical. In the past, similar Office vulnerabilities with AV:L and high scores—such as CVE-2017-11882 (Equation Editor)—have been used in widespread malware campaigns. Equation Editor had a CVSS score of 8.8 with AV:L, yet it became one of the most exploited Office flaws because attackers could distribute malicious documents through phishing. The AV:L designation didn’t slow down exploitation one bit. Security teams that had automatically deprioritized “Local” vulnerabilities were caught off guard.

A Closer Look at the CVSS String for CVE-2026-45471

Let’s dissect the vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. It breaks down to:

  • Attack Vector: Local – because user opening the document is required.
  • Attack Complexity: Low – no special conditions; just open the file.
  • Privileges Required: None – the attacker doesn’t need any prior access.
  • User Interaction: Required – the user must open the malicious file.
  • Scope: Unchanged – the vulnerability affects the same security authority.
  • Impact: High for confidentiality, integrity, and availability.

This combination yields a base score of 7.8. Note the curious pairing: Privileges Required is None, yet User Interaction is Required. That’s exactly why this feels “remote” despite the Local vector. The attacker needs no foothold on the system, just a way to trick the user. The CVSS framework has no concept of “remote delivery with local execution” beyond the Local/Network dichotomy. The temporal and environmental metrics can adjust the score slightly, but they rarely change the vector.

The Industry’s Long-Standing Grievance

For over a decade, security professionals have called for a revision to the Attack Vector definition. Some proposed adding a “Remote (user-assisted)” vector to bridge the gap. Others argue that the User Interaction metric should modify the vector, making AV:N possible even with UI:R if the interaction is trivial and the payload is delivered remotely. The CVSS Special Interest Group (SIG) has debated these changes, but as of CVSS v3.1, the current definitions remain.

The upcoming CVSS v4.0 aims to address some of these concerns by introducing more granular attack requirements and network exposure metrics. It will separate “attack vector” into more precise categories like “Adjacent” and “Physical,” but early drafts still require user interaction for local exploits. Whether that solves the perception problem is unclear.

Real-World Impact: What You Should Do About CVE-2026-45471

Don’t let the “Local” label fool you. If your organization uses Microsoft Word and hasn’t applied the latest security updates, you’re at risk from phishing attacks that could deploy ransomware or steal credentials. Treat this vulnerability as a high-priority patch, especially if your users frequently open documents from external sources.

Practical steps:

  • Apply the update from Microsoft’s July 2026 Patch Tuesday immediately. Microsoft has released a fix for Word 2019, Microsoft 365 Apps, and Office LTSC 2021.
  • Enable Protected View for files from the internet. This can block exploitation even without the patch in some configurations.
  • Train users to recognize phishing attempts. No technical control is foolproof.
  • Adjust your vulnerability management tools to account for “High + User Interaction” vulnerabilities, even when AV:L. Create custom risk scores or override policies where necessary.

The Bottom Line

CVE-2026-45471 isn’t an anomaly; it’s a symptom of a scoring system that hasn’t kept pace with attack patterns. Microsoft’s “remote” description reflects the attacker’s ability to reach across the internet into your user’s inbox. The CVSS “Local” vector reflects the technical mechanism of opening a file. Both are correct in their own contexts, but the disconnect creates a dangerous blind spot if you rely solely on automated CVSS filtering. Until the scoring standards evolve, security teams must bridge that gap with intelligence and context. Next time you see AV:L and a high score, ask: is this really local? Because in 2026, the answer is often no.