CVE-2017-11882

CVE-2017-11882 is a high-severity vulnerability in Microsoft Office with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-119.

Key facts

Description

Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.

Microsoft Office Memory Corruption Vulnerability (CVE-2017-11882)

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2017-11882
Published 2017-11-15
Last Modified 2026-06-17
CVSS v2 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS v3 7.8 HIGH (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CWE CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer
EPSS 0.99945 (99.97th percentile)
CISA KEV Yes (added 2021-11-03)
Assigner [email protected]

Summary

CVE-2017-11882 is a memory corruption vulnerability in multiple versions of Microsoft Office. The flaw exists because the application fails to properly handle objects in memory. An attacker who successfully exploits this vulnerability can run arbitrary code in the context of the current user. If the current user is logged on with administrative rights, the attacker can take complete control of the affected system.

Background

This vulnerability was disclosed by Microsoft as part of the November 2017 Patch Tuesday security updates. It is tracked distinctly from CVE-2017-11884, which addresses a related but separate memory corruption issue in the same product family. The vulnerability has been actively exploited in the wild and was later added to the CISA Known Exploited Vulnerabilities (KEV) catalog, reflecting its continued relevance to threat actors.

Root Cause — CWE-119

The vulnerability is classified under CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer. The root cause lies in improper memory handling when Office processes certain embedded objects. Specifically, the application does not adequately validate or constrain operations on memory buffers, leading to an out-of-bounds condition that can be leveraged for code execution. The flaw stems from legacy code paths that lack modern memory-safety checks.

Impact

The CVSS v2 base score of 9.3 and CVSS v3 score of 7.8 (HIGH) reflect severe impact potential:

  • Confidentiality Impact: Complete (HIGH in v3) — attacker can read arbitrary data.
  • Integrity Impact: Complete (HIGH in v3) — attacker can modify arbitrary data.
  • Availability Impact: Complete (HIGH in v3) — attacker can cause system unavailability.
  • Attack Vector: Network (v2) / Local (v3, due to user interaction requirement).
  • Attack Complexity: Medium (v2) / Low (v3).
  • Privileges Required: None.
  • User Interaction: Required — the victim must open a malicious file.

Exploitation Walkthrough (Defensive Perspective)

Ethics Note: The following description is provided for defensive awareness only. No weaponized exploit code is included.

Attackers typically deliver exploitation via a malicious Office document (e.g., Word, Excel, or PowerPoint) distributed through spear-phishing email campaigns. When the victim opens the document, the application processes a malformed embedded object that triggers the memory corruption. The attacker-supplied payload then executes in the context of the current user.

Common delivery vectors observed in the wild include:

  • Email attachments with social-engineered filenames
  • Malicious documents embedded in archives
  • Drive-by downloads hosted on compromised or attacker-controlled websites

Defensive teams should focus on:

  • Blocking macro-enabled and unknown document types at the email gateway
  • Enforcing application sandboxing and isolation
  • Monitoring for suspicious child processes spawned by Office applications

Affected and Patched Versions

Affected Products (per NVD CPE data):

  • Microsoft Office 2007 Service Pack 3
  • Microsoft Office 2010 Service Pack 2
  • Microsoft Office 2013 Service Pack 1
  • Microsoft Office 2016

Remediation: Apply the official security updates released by Microsoft for the affected Office versions. Microsoft addressed this vulnerability in the November 2017 security updates. Organizations running unsupported versions (e.g., Office 2007) should migrate to a supported release.

Remediation

  1. Patching: Install the latest security updates for Microsoft Office from the Microsoft Security Response Center.
  2. Compensating Controls:
    • Disable or restrict Office file attachments in email gateways.
    • Implement Attack Surface Reduction (ASR) rules on Windows endpoints to block Office applications from creating child processes.
    • Enable Protected View for documents originating from the Internet.
    • Apply the principle of least privilege — ensure users operate without administrative rights where possible.
    • Consider application allowlisting to prevent execution of untrusted Office binaries or add-ins.

Detection

Security operations teams can detect potential exploitation by monitoring for:

  • Suspicious child processes (e.g., powershell.exe, cmd.exe, mshta.exe) spawned by winword.exe, excel.exe, or powerpnt.exe
  • Network connections initiated by Office processes to unusual external hosts
  • Office documents with embedded objects that trigger Equation Editor or similar legacy components
  • Endpoint detection alerts for memory corruption or heap-spray patterns in Office applications

Assessment

With an EPSS score of 0.99945 (99.97th percentile) and a confirmed presence on the CISA KEV catalog since November 2021, CVE-2017-11882 represents one of the most reliably exploited Office vulnerabilities on record. The high EPSS score indicates that exploitation in the wild is not merely theoretical but statistically near-certain for unpatched systems.

Key lessons:

  1. Legacy code carries enduring risk: Components that predate modern memory-safe development practices continue to introduce critical vulnerabilities years after initial release.
  2. User interaction is not a strong control: Requiring a user to open a document remains a low bar for determined threat actors armed with convincing social engineering.

References

Frequently asked questions

What is CVE-2017-11882?
Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.
How severe is CVE-2017-11882?
CVE-2017-11882 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2017-11882 being actively exploited?
Yes. CVE-2017-11882 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2017-11882?
CVE-2017-11882 primarily affects Microsoft Office. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2017-11882?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2017-11882 have an EU (EUVD) identifier?
Yes. CVE-2017-11882 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2017-3478. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2017-11882 published?
CVE-2017-11882 was published on 2017-11-15 and last updated on 2026-06-17.

References

Affected products (4)

More vulnerabilities in Microsoft Office

All CVEs affecting Microsoft Office →

Other CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) vulnerabilities

Browse all CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) vulnerabilities →