Microsoft Office Word: Five Pointer Dereference & Buffer Overflow Flaws Disclosed
Microsoft Office Word users face risks from five vulnerabilities disclosed on June 9, 2026, including four critical remote code execution flaws.
Key findings
- Four critical 'Untrusted pointer dereference' vulnerabilities in Microsoft Office Word disclosed.
- One 'Heap-based buffer overflow' vulnerability allows local information disclosure.
- All five vulnerabilities were disclosed on June 9, 2026, as part of Microsoft's Patch Tuesday.
- The high-severity flaws could allow for local code execution.
- Microsoft has released patches as part of its June 2026 security updates.
Microsoft's June 2026 Patch Tuesday brought a wave of security updates, including five vulnerabilities affecting Microsoft Office Word. Disclosed on June 9, 2026, these flaws present a significant risk to users, with four of them rated as High severity and capable of allowing remote code execution.
The majority of the disclosed vulnerabilities, specifically CVE-2026-45643, CVE-2026-45486, CVE-2026-45471, and CVE-2026-45457, are all categorized as "Untrusted pointer dereference" flaws. These vulnerabilities, each carrying a CVSSv3 score of 7.8, could permit an unauthorized attacker to execute arbitrary code locally on a victim's machine. The consistent nature of these pointer dereference issues across multiple CVEs suggests a common underlying weakness within the Office Word parsing engine.
In addition to the critical remote code execution vulnerabilities, a fifth flaw, CVE-2026-45466, was also disclosed. This vulnerability is a "Heap-based buffer overflow" with a lower severity rating of Low (CVSSv3 3.3). While less critical, it still allows an unauthorized attacker to disclose information locally, which could be a stepping stone for more sophisticated attacks.
According to reporting from BleepingComputer and Cyber Security News, Microsoft's June 2026 Patch Tuesday addressed a total of 198 to 200 vulnerabilities across its product ecosystem. This batch of Office Word vulnerabilities was part of a larger security effort that included three zero-day vulnerabilities, though the specific CVEs within this batch are not explicitly stated as being exploited in the wild in the provided coverage.
Microsoft has released security updates to address these vulnerabilities. Users are strongly urged to apply the latest patches provided by Microsoft to mitigate the risks associated with these flaws. The specific versions affected and patched are detailed in Microsoft's official security advisories, which are part of the June 2026 Patch Tuesday rollout. Prompt application of these updates is crucial to protect against potential exploitation.
This coordinated disclosure event highlights the ongoing security challenges within complex software like Microsoft Office. Users should remain vigilant and ensure their software is up-to-date to protect against known vulnerabilities. The presence of multiple high-severity flaws underscores the importance of timely patching and robust security practices for all users of Microsoft Office products.