Microsoft Office: 14 Vulnerabilities Disclosed Together on June 9, 2026
Microsoft Office users face a significant security update with the disclosure of 14 vulnerabilities on June 9, 2026, including several critical flaws.
Key findings
- Microsoft Office users must address 14 vulnerabilities disclosed on June 9, 2026.
- Seven heap-based buffer overflow flaws and three 'type confusion' bugs allow local code execution.
- Three out-of-bounds read vulnerabilities could lead to local information disclosure.
- The vulnerabilities range in severity from Low (CVSSv3 3.3) to High (CVSSv3 8.4).
- These disclosures were part of Microsoft's June 2026 Patch Tuesday, which fixed nearly 200 flaws.
Microsoft Office users were impacted by a substantial security disclosure event on June 9, 2026, with fourteen vulnerabilities being patched simultaneously. This batch of vulnerabilities, all disclosed on the same day, includes several high-severity flaws that could allow unauthorized attackers to execute code locally or disclose sensitive information.
The disclosed vulnerabilities primarily fall into two categories: heap-based buffer overflows and access of resources using incompatible types, commonly known as 'type confusion' flaws. Seven heap-based buffer overflow vulnerabilities (CVE-2026-45645, CVE-2026-45475, CVE-2026-45474, CVE-2026-45472, CVE-2026-45463, CVE-2026-45461, CVE-2026-44824, CVE-2026-44819) were detailed, many carrying a high severity rating (CVSSv3 7.8 or 8.4) and the potential for local code execution. Additionally, three 'type confusion' vulnerabilities (CVE-2026-47635, CVE-2026-45458, CVE-2026-45456), also rated High (CVSSv3 8.4), pose a similar risk of local code execution.
Beyond the remote code execution risks, the batch also included three out-of-bounds read vulnerabilities (CVE-2026-45460, CVE-2026-44821, CVE-2026-45485). While two of these were rated Medium (CVSSv3 4.7 and 5.5), one was classified as Low (CVSSv3 3.3). These vulnerabilities could allow an unauthorized attacker to disclose information locally.
According to related security reporting, this disclosure was part of Microsoft's June 2026 Patch Tuesday, which addressed a total of 198 to 200 vulnerabilities across its product ecosystem. Notably, this Patch Tuesday included three zero-day vulnerabilities that were either actively exploited or publicly known before a fix was available. While the specific zero-days mentioned in the coverage (e.g., CVE-2026-50507 for Windows BitLocker) are outside the scope of this batch, their presence highlights a broader trend of active exploitation targeting Microsoft products.
Microsoft has released security updates to address all disclosed vulnerabilities. Users are strongly urged to apply these updates as soon as possible to mitigate the risks associated with these flaws. The company's Patch Tuesday releases typically include fixes for a wide range of issues, and prompt application of these patches is crucial for maintaining a secure computing environment. Specific version information for the affected products and the patches that resolve these issues are available through Microsoft's official security advisories.
This coordinated disclosure of fourteen vulnerabilities underscores the ongoing need for vigilance among Microsoft Office users. The concentration of high-severity flaws, particularly those enabling local code execution, necessitates immediate attention from administrators and end-users alike. Staying informed about Microsoft's security bulletins and applying patches promptly remains the most effective defense against such threats.