office vulnerability

On June 9, 2026, Microsoft’s Security Update Guide entry for CVE-2026-45455 described a Microsoft Excel information disclosure vulnerability whose CVSS impact metrics indicate limited confidentiality loss, with no direct integrity or availability impact if exploitation succeeds. That wording is...

Microsoft labels CVE-2026-45456 as remote code execution because the attacker can be remote from the victim, while the CVSS attack vector is Local because exploitation ultimately occurs through code or content processed on the victim’s own machine, including Outlook’s use of Word rendering. That...

Microsoft’s CVE-2026-45469 describes a Microsoft Excel remote code execution vulnerability in which the CVSS attack vector is local because exploitation requires code to run on the target machine, typically after a user opens or executes attacker-supplied content. The apparent contradiction is...

In Microsoft’s terminology, the phrase “Remote Code Execution” in the CVE title describes the impact of the bug, not necessarily the CVSS attack vector. In other words, if the vulnerability is successfully triggered, the attacker can cause code to run on the victim’s machine, but the exploit...

Microsoft’s naming here is not contradictory once you separate the attack vector from the effect. In CVSS, AV:L means the exploit requires local interaction on the target machine, or a local foothold in the attack path, while Remote Code Execution in Microsoft’s title describes the impact: the...