CVE-2026-47290: Patch Office RCE With July 14 Updates

Microsoft classified CVE-2026-47290 as a Microsoft Office remote code execution vulnerability even though its CVSS attack vector is Local, because the two labels describe different parts of the attack. Remote code execution describes the attacker’s ability to cause code to run on another person’s computer, while AV:L describes where the vulnerable Office component must process the exploit.
Published by the Microsoft Security Response Center on July 14, 2026, the vulnerability carries a CVSS 3.1 base score of 7.8, rated High. Microsoft’s vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating low attack complexity, no required privileges, required user interaction, and potentially high impact to confidentiality, integrity, and availability.
The distinction matters because administrators can easily read “local attack vector” as meaning an attacker must already have an account or interactive access to the target PC. That is not what Microsoft’s assessment says in this case.

Cybersecurity graphic showing a malicious Office document exploiting a use-after-free flaw for code execution.The Exploit Runs Locally, but the Attacker May Be Elsewhere​

Microsoft explains in its CVE advisory that “remote” refers to the attacker’s location. An attacker could reportedly prepare malicious content elsewhere and persuade a victim to open or otherwise process it on an affected Windows computer.
The actual triggering operation occurs inside the victim’s local Office environment. That is why the CVSS attack-vector metric is AV:L: the vulnerable component is not being attacked directly through a network-facing Office service listening for inbound connections.
This is a common pattern in document-based attacks. A malicious document can arrive through email, a collaboration platform, a download, removable media, or a shared location, but Office must process the content on the target machine before exploitation occurs. The attacker can remain remote throughout that sequence even though the vulnerable code path is reached locally.
Microsoft describes the underlying flaw as a use-after-free vulnerability, mapped to CWE-416. This class of memory-safety error occurs when software continues to use memory after it has been released, potentially allowing carefully constructed data to corrupt program state and redirect execution.
A successful attack could therefore result in attacker-controlled code running on the victim’s PC. The term arbitrary code execution, or ACE, is often a more mechanically precise description, but Microsoft commonly uses “remote code execution” for vulnerabilities that let a remote adversary deliver an exploit that ultimately executes on a target system.

The CVSS Vector Tells the More Complete Story​

The remaining CVSS fields help resolve the apparent contradiction between “remote code execution” and AV:L.
PR:N means the attacker does not require existing privileges on the target. In other words, the vulnerability is not limited to someone who has already logged on locally or compromised a Windows account.
UI:R means user interaction is required. The target must perform an action that causes Office to process the attacker’s content. Microsoft’s supplied explanation says that an attacker or victim needs to execute code from the local machine, although this should not be interpreted as requiring the victim to knowingly launch an executable payload. In Office attacks, opening or interacting with a specially crafted file may be the relevant action.
AC:L indicates that Microsoft does not consider exploitation dependent on unusually complex conditions. That does not establish that working exploit code is publicly available, but it does mean the vulnerability’s expected exploitation path is not scored as requiring a difficult race condition, rare configuration, or similarly substantial obstacle.
The three High impact ratings — C:H/I:H/A:H — reflect the potential consequences after successful exploitation. Attacker-controlled code could expose data, modify files or settings, and disrupt the affected system, subject to the security context under which Office is running.
The S:U field records an unchanged scope. The compromised Office process and the affected resources remain under the same security authority for CVSS scoring purposes. This does not make exploitation harmless; it means CVE-2026-47290 is not separately scored as crossing a security boundary into another authorization scope.
Taken together, the vector describes a familiar malicious-document scenario:
  • The attacker does not need an account or privileges on the victim’s PC.
  • The attacker supplies content that must be processed locally.
  • The victim must take an action that reaches the vulnerable Office code.
  • Successful exploitation may allow arbitrary code to run with substantial impact.
That is remote-originated code execution with a local attack vector, not a network-service vulnerability that can be triggered directly over TCP or another protocol.

Office 2016 Through LTSC 2024 Are in Scope​

Microsoft’s CVE data identifies affected editions across the currently serviced Office estate, including Microsoft 365 Apps for enterprise, Office 2016, Office 2019, Office LTSC 2021, and Office LTSC 2024. Both 32-bit and 64-bit systems are represented in the affected-product records.
For Office 2016, Microsoft released KB5002273 on July 14. The standalone package applies to MSI-based installations of Office 2016 and updates affected systems to the corrected file level associated with version 16.0.5561.1000. Microsoft notes that this particular Download Center package does not apply to Click-to-Run editions.
Microsoft 365 Apps and newer perpetual Office releases use their applicable servicing channels rather than the Office 2016 MSI package. Administrators should therefore validate both the installed Office edition and its update channel instead of treating KB5002273 as a universal fix.
Automatic updating should deliver the applicable correction to normally managed installations. Enterprises using Microsoft Configuration Manager, Microsoft Intune, Windows Server Update Services, or controlled Click-to-Run update policies should verify deployment compliance and check for machines that have missed the July 14 Office security release.
Because user interaction is required, mail filtering, Protected View, attachment controls, Microsoft Defender for Office 365, and endpoint protection can provide additional defensive layers. Those controls should not be treated as substitutes for patching: a malicious file can reach users through channels other than email, and detection may vary as exploit techniques change.

“Local” Is Not Synonymous With Low Risk​

The practical lesson for defenders is that the attack-vector field should not be read in isolation. AV:L says where exploitation is performed relative to the vulnerable component; it does not necessarily say where the adversary is sitting, how the malicious content arrived, or whether the attacker already controls the computer.
For CVE-2026-47290, PR:N and UI:R are especially important. The attacker needs cooperation from the target, but not prior authentication. That makes phishing, malicious downloads, compromised document repositories, and other content-delivery routes relevant even though the CVSS vector does not say AV:N.
Microsoft’s “remote code execution” title is therefore consistent with the expected threat model: a remote attacker can cause attacker-chosen code to execute on another system after locally installed Office processes malicious content. The July 14, 2026 Office updates close that path, making deployment status—not the semantic difference between RCE and ACE—the immediate concern for Windows administrators.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: support.microsoft.com
 

Back
Top