Cyber Resilience

CVE-2017-0261

HighCISA KEVActive ExploitationEUVD Exploited

Published: 12 May 2017

Published
12 May 2017
Modified
22 April 2026
KEV Added
03 March 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9230 99.7th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-0261 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Office. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).

Deeper analysis

Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 contain a remote code execution vulnerability arising from improper handling of objects in memory. The flaw is tracked as CWE-416 and is distinct from the related issues CVE-2017-0262 and CVE-2017-0281. It received a CVSS 3.1 base score of 7.8 reflecting local attack vector, low attack complexity, and no required privileges.

An attacker can exploit the weakness by supplying a specially crafted document that triggers the memory-handling error when opened by a user. Successful exploitation grants arbitrary code execution in the context of the current user, yielding full control over confidentiality, integrity, and availability of the affected system.

Microsoft published an advisory at the MSRC portal that addresses CVE-2017-0261; practitioners should consult that guidance and apply the corresponding Office updates to eliminate the vulnerability. No additional details on in-the-wild exploitation campaigns are supplied in the available references.

EU & UK References

Vulnerability details

Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a remote code execution vulnerability when the software fails to properly handle objects in memory, aka "Office Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-0262 and…

more

CVE-2017-0281.

CWE(s)
KEV Date Added
03 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
office
2010, 2013, 2016

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor-supplied Office updates that eliminate the memory-handling flaw (CWE-416) before a crafted document can be exploited.

preventdetect

Malicious-code protection mechanisms can inspect or sandbox incoming Office documents and block execution of the exploit payload.

prevent

Integrity verification of Office binaries and document files can detect unauthorized modification or substitution that would otherwise trigger the RCE flaw.

References