Cyber Resilience

CVE-2017-11826

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 13 October 2017

Published
13 October 2017
Modified
22 April 2026
KEV Added
03 March 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9169 99.7th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-11826 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Microsoft Word. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2017-11826 is a memory corruption vulnerability, tracked under CWE-119, that affects multiple Microsoft Office and SharePoint components including Office 2010, SharePoint Server 2010 and Enterprise Server 2010, Office Web Apps Server 2010 and 2013, Word 2007 through 2016, Word Viewer, Word Automation Services, and Office Online Server. The flaw arises when the software fails to properly handle objects in memory, enabling remote code execution.

An attacker can exploit the issue by supplying a specially crafted document that triggers the memory corruption when opened by the victim. The CVSS vector (AV:L/AC:L/PR:N/UI:R) indicates local attack vector with no privileges required and only user interaction needed, resulting in high impact to confidentiality, integrity, and availability once code execution is achieved.

Microsoft's Security Response Center advisory and related vendor bulletins address mitigation through available security updates for the affected products. Public analyses, including those from McAfee and 0patch, confirm the vulnerability was observed being exploited in the wild as a zero-day prior to patching.

EU & UK References

Vulnerability details

Microsoft Office 2010, SharePoint Enterprise Server 2010, SharePoint Server 2010, Web Applications, Office Web Apps Server 2010 and 2013, Word Viewer, Word 2007, 2010, 2013 and 2016, Word Automation Services, and Office Online Server allow remote code execution when the…

more

software fails to properly handle objects in memory.

CWE(s)
KEV Date Added
03 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
office compatibility pack
all versions
microsoft
office online server
2016
microsoft
office web apps server
2010, 2013
microsoft
office word viewer
all versions
microsoft
sharepoint enterprise server
2016
microsoft
sharepoint server
2010, 2013
microsoft
word
2007, 2010, 2013, 2016

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying vendor security updates to eliminate the memory-handling flaw before a crafted document can be exploited.

prevent

Mandates memory-protection techniques (DEP, ASLR, etc.) that block exploitation of the exact class of memory corruption (CWE-119) described in the CVE.

preventdetect

Deploys malicious-code detection mechanisms that can identify and block the specially crafted documents used to trigger the RCE.

References