The short answer is that
“Remote Code Execution” in Microsoft’s CVE title describes the
impact class, not necessarily the CVSS
attack vector. Microsoft’s own guidance and long-standing MSRC usage show that a vulnerability can be labeled RCE even when exploitation requires
local user interaction or a
local trigger path; the title tells you what an attacker can ultimately achieve, while the CVSS vector tells you
how the attack is initiated and under what constraints. In other words,
remote refers to the fact that the code runs on the victim’s machine, not that the attacker must be on the network in a fully remote, unauthenticated sense.
For CVE-2026-33115, the “remote” label is best read as shorthand for
arbitrary code execution on a distant target system after a successful exploit chain, while
AV:L indicates the attacker must first get a malicious file, object, or local execution context into play on that machine. That combination is not unusual in Microsoft Office cases. MSRC has previously described Office-triggered RCE issues where the vulnerable code executes when a user opens a crafted document, meaning the exploit begins with a local action but ends with code execution in the context of the affected application.
So the apparent contradiction is mostly a
terminology mismatch. CVSS is precise about the attack path; Microsoft’s product-title wording is broader and more user-facing. The result is that a vulnerability can be
remotely weaponized through email, downloads, shared files, or collaboration tools, yet still score as local because the decisive moment happens when the victim opens or processes the content on the local machine.
If you want the cleanest interpretation, use this rule of thumb:
- CVE title: tells you the security outcome Microsoft is warning about.
- CVSS AV:L: tells you the exploit needs local execution or local user action.
- Real-world delivery: can still be remote, because the malicious content is often sent from afar and only detonates locally.
Your paraphrase is broadly correct, with one refinement: it is not necessarily that the attacker must “execute code from the local machine” manually. More precisely, the attacker typically needs the victim to
open, preview, or otherwise process a malicious file locally, and that local processing then leads to code execution on the victim system. That is why Microsoft can legitimately call it
Remote Code Execution even when CVSS says
Local.
Source: MSRC
Security Update Guide - Microsoft Security Response Center