Search
On this page ▾
CVE-2016-7193 — Microsoft Office Memory Corruption Vulnerability

CVE-2016-7193

Microsoft Word — RTF File Format Memory Corruption Enables Remote Code Execution via Malicious Document; Patched MS16-121 (October 2016)
⚠️ CVSS 3.1  7.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What Is Microsoft Office?

Microsoft Office — Word, Excel, PowerPoint, Outlook — is the dominant productivity suite in enterprise environments globally. Because Office documents are the primary medium for business communication, document-based vulnerabilities are among the most exploitable attack vectors: malicious Office documents can be delivered via email (the universal business channel) and opened by users in the normal course of work. Microsoft Word's support for Rich Text Format (RTF) — a legacy format with complex parsing requirements — has been a persistent source of memory corruption vulnerabilities.

RTF (Rich Text Format) is a document format developed by Microsoft in 1987 that supports rich text formatting, embedded objects, and complex layout features. Word's RTF parser processes many decades of format versions and extensions, making it a complex attack surface with significant historical vulnerability density.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on March 3, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2016-7193 is a memory corruption vulnerability in Microsoft Office that allows remote code execution when a user opens a specially crafted RTF file. Microsoft Word's RTF parser improperly handles certain RTF structures, causing a memory corruption condition that an attacker can exploit to execute arbitrary code at the privilege level of the logged-in user. Delivered via email attachment or malicious download, this vulnerability enables targeted phishing attacks without requiring macro execution. Patched in MS16-121 (October 11, 2016). CISA added CVE-2016-7193 to the KEV catalog in March 2022.

Affected Versions

Microsoft Office Status
Microsoft Office 2007 SP3 Vulnerable
Microsoft Office 2010 SP2 Vulnerable
Microsoft Office 2013 SP1 Vulnerable
Microsoft Office 2016 (pre-MS16-121) Vulnerable
All above with MS16-121 applied Fixed

Technical Details

Root Cause: RTF Parser Memory Corruption

CVE-2016-7193 is a memory buffer vulnerability (CWE-119) in Microsoft Word's RTF parsing code. The RTF format supports a rich set of control words, groups, and embedded objects. Microsoft Word's RTF parser processes these elements sequentially, managing various data structures and memory buffers as it builds the document model. A specially crafted RTF file contains malformed or unexpected RTF constructs that cause Word's parser to perform incorrect memory operations — reading or writing outside the bounds of allocated buffers, corrupting adjacent heap objects.

The memory corruption path:

  1. User opens a crafted .RTF document — via email attachment, network share, or download
  2. Word's RTF parser processes the document — structured RTF control words trigger the vulnerable parsing code path
  3. Memory corruption occurs — the parser writes data outside buffer bounds, corrupting heap memory
  4. Controlled corruption enables code execution — heap grooming or specific RTF structure ordering causes the corruption to land on a Word object with an exploitable method table
  5. Code executes at the Word process user's privilege level

Attack via Email Without Macros

CVE-2016-7193 is particularly impactful because it exploits RTF parsing rather than Office macros:

  • No macro required — no VBA macro execution prompt appears; the vulnerability triggers from the RTF format processing itself
  • Protected View bypass — in some Word versions and configurations, RTF files opened directly trigger parsing without the Protected View sandbox that applies to documents from external sources in newer Office
  • Universal email delivery — RTF file attachments are a common email format and are processed by Outlook directly for preview in some configurations

Attack Characteristics

Attribute Detail
Attack Vector Local (AV:L) — requires opening a crafted RTF document
User Interaction Required — user opens the malicious RTF file
Delivery Email attachment, web download, network share
Macro Bypass RTF format parsing — no macro prompt
Privilege Current user's context

Discovery

Identified through Microsoft security research; patched in MS16-121 (October 2016 Office Security Update), which addressed multiple Office memory corruption vulnerabilities. CISA's 2022 KEV addition reflects documented use in targeted attacks.

Exploitation Context

  • Targeted phishing campaigns: CVE-2016-7193 was exploited in spear-phishing campaigns delivering malicious RTF documents via email — a particularly effective delivery vector because RTF is a trusted Office format, documents are opened routinely, and the exploit requires no macro approval
  • No macro security bypass needed: Enterprise security controls that disable Office macros (Group Policy, Attack Surface Reduction rules) do not prevent CVE-2016-7193 exploitation; the vulnerability triggers through format parsing, not macro execution
  • RTF as legacy attack surface: Microsoft Word's RTF parser has been a recurring vulnerability source; the complexity of supporting a 30+ year old format creates persistent memory safety challenges; CVE-2016-7193 is part of a long history of RTF-based Office vulnerabilities
  • CISA KEV (2022): Added March 3, 2022, reflecting confirmed exploitation in active attack campaigns

Remediation

CISA BOD 22-01 Deadline: March 24, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

  1. Apply MS16-121 — install the October 2016 Microsoft Office security update via Windows Update, WSUS, or MECM. All subsequent Office cumulative updates include this fix.

  2. Keep Office updated — apply all current Office security updates; Microsoft releases Office security patches monthly and current Office is not affected by CVE-2016-7193.

  3. Enable Protected View — configure Office Protected View to open documents from email and internet sources in a sandbox; Protected View limits exploitation impact by blocking code execution from sandboxed document processing.

  4. Block RTF file attachments at email gateway — if RTF documents are not required for business operations, block .rtf attachments at the email gateway; most modern workflows use .docx or PDF formats.

  5. Deploy Attack Surface Reduction rules — Microsoft Defender's ASR rule "Block Office applications from creating child processes" limits what code executed via Office vulnerabilities can do after initial exploitation.

Key Details

PropertyValue
CVE ID CVE-2016-7193
Vendor / Product Microsoft — Office
NVD Published2016-10-14
NVD Last Modified2025-10-22
CVSS 3.1 Score7.8
CVSS 3.1 VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer find similar ↗
CISA KEV Added2022-03-03
CISA KEV Deadline2022-03-24
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-03-24. Apply updates per vendor instructions.

Timeline

DateEvent
2016-10-11Microsoft releases MS16-121 patching CVE-2016-7193 (Office RTF memory corruption)
2016-10-14CVE-2016-7193 published by NVD
2022-03-03Added to CISA Known Exploited Vulnerabilities catalog
2022-03-24CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2016-7193 Vulnerability Database
CISA KEV Catalog Entry US Government
MS16-121 — Security Update for Microsoft Office (October 2016) Vendor Advisory

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML