Cyber Resilience

CVE-2017-11882

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 15 November 2017

Published
15 November 2017
Modified
22 April 2026
KEV Added
03 November 2021
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9435 100.0th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-11882 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Microsoft Office. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).

Deeper analysis

Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 are affected by CVE-2017-11882, a memory corruption vulnerability tracked under CWE-119. The flaw stems from improper handling of objects in memory and carries a CVSS 3.1 score of 7.8, reflecting local attack vector, low complexity, no required privileges, and required user interaction.

An attacker can exploit the issue by supplying a specially crafted document that triggers the memory corruption when opened in an affected Office application. Successful exploitation grants the ability to execute arbitrary code in the context of the current user, potentially leading to full confidentiality, integrity, and availability impacts on the affected system.

Public references describe both an official Microsoft patch and third-party micropatches such as those from 0patch, along with demonstrations of fileless attack techniques in Word that avoid macros. These sources indicate that applying the vendor update or equivalent micropatch addresses the memory handling defect.

EU & UK References

Vulnerability details

Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly…

more

handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
office
2007, 2010, 2013, 2016

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch (or equivalent micropatch) that corrects the memory-handling defect in affected Office versions.

prevent

Implements OS- or process-level memory protections that can block exploitation of the CWE-119 corruption even if a malicious document is opened.

preventdetect

Deploys malicious-code detection on documents that can identify or block the specially crafted files used to trigger the Office memory corruption.

References