9.3

CVE-2017-0261

Warning

Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a remote code execution vulnerability when the software fails to properly handle objects in memory, aka "Office Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-0262 and CVE-2017-0281.

Data is provided by the National Vulnerability Database (NVD)
MicrosoftOffice Version2010 Updatesp2
MicrosoftOffice Version2013 Updatesp1
MicrosoftOffice Version2016

03.03.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

Microsoft Office Use-After-Free Vulnerability

Vulnerability

Microsoft Office contains a use-after-free vulnerability which can allow for remote code execution.

Description

Apply updates per vendor instructions.

Required actions
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 92.07% 0.997
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov 9.3 8.6 10
AV:N/AC:M/Au:N/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

http://www.securityfocus.com/bid/98104
Third Party Advisory
Broken Link
VDB Entry
http://www.securitytracker.com/id/1038444
Third Party Advisory
Broken Link
VDB Entry