Cyber Resilience

CVE-2018-0802

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 10 January 2018

Published
10 January 2018
Modified
28 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9389 99.9th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-0802 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Microsoft Office. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability CVE-2018-0802 is a memory corruption flaw in the Equation Editor component of Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016. It arises from the way objects are handled in memory and is tracked as CWE-787, an out-of-bounds write condition. The issue is distinct from the related flaws CVE-2018-0797 and CVE-2018-0812.

An unauthenticated attacker can exploit the weakness by supplying a malicious document that triggers the flaw when opened, requiring local access and user interaction but no privileges. Successful exploitation yields arbitrary code execution with full impact on confidentiality, integrity, and availability.

Public references include security tracking entries and proof-of-concept implementations that demonstrate the memory handling issue in affected Equation Editor versions.

EU & UK References

Vulnerability details

Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allow a remote code execution vulnerability due to the way objects are handled in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE is…

more

unique from CVE-2018-0797 and CVE-2018-0812.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
office
2007, 2010, 2013, 2016
microsoft
office compatibility pack
all versions
microsoft
word
2007, 2010, 2013, 2016

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely patching of the Equation Editor memory corruption flaw in Office 2007-2016 to eliminate the out-of-bounds write.

prevent

Applies OS-level memory protections (ASLR, DEP, etc.) that raise the bar against successful exploitation of the CWE-787 write condition when a malicious document is opened.

prevent

Enforces least functionality by disabling or removing the vulnerable Equation Editor component so that malicious documents cannot trigger the flaw.

References