What happened

CISA added CVE-2009-0556 to the Known Exploited Vulnerabilities (KEV) Catalog on 2026-01-07, signaling confirmed exploitation in the wild CISA KEV catalog. The flaw is a code injection vulnerability in Microsoft Office PowerPoint that enables remote code execution when a victim opens a crafted presentation NVD: CVE-2009-0556. The malicious file abuses an OutlineTextRefAtom with an invalid index value to trigger memory corruption during parsing MITRE CVE record. CISA’s required action is to apply vendor mitigations or discontinue use where mitigations are unavailable, with a remediation due date of 2026-01-28 CISA KEV catalog.

Why it matters

KEV inclusion means active exploitation and elevates this to a must-fix for enterprise defenders rather than a backlog item CISA KEV catalog. Remote code execution via document-open is a high-likelihood delivery vector because attackers can reach targets through email or shared storage with weaponized presentations NVD: CVE-2009-0556. The bug’s core is memory corruption from a malformed OutlineTextRefAtom index, which historically yields reliable code execution when paired with modern exploit chains MITRE CVE record. The vulnerability maps to CWE-94 (Code Injection), highlighting unsanitized index/control data flowing into a dynamic execution path NVD CWE mapping. Organizations running Microsoft Office remain exposed until mitigations are fully applied on endpoints that can open PowerPoint files NVD: CVE-2009-0556.

Technical detail

CVE-2009-0556 triggers when PowerPoint parses an OutlineTextRefAtom whose index field points outside expected bounds, corrupting memory and enabling attacker-controlled execution flow MITRE CVE record. The attack is file-borne: opening a malicious presentation is the execution precondition, with no additional user interaction required beyond viewing the slide deck NVD: CVE-2009-0556. Because the bug is classified under CWE-94 (Code Injection), exploit payloads can be staged via manipulated structure references that the parser misinterprets as trusted data NVD CWE mapping. The vulnerable component is in the PowerPoint file parsing path, making content-scanning and strict parsing-limits relevant to detection and mitigation strategies MITRE CVE record. KEV designation indicates observed exploitation, so exploit artifacts are circulating and likely to be incorporated into commodity document-delivery campaigns CISA KEV catalog.

Defense

• Patch/mitigate now per CISA’s directive; KEV entries are prioritized because they are actively exploited in the wild CISA KEV catalog.
• Enforce attachment handling policies: quarantine or detonate untrusted PowerPoint files before delivery, since exploitation requires opening a crafted presentation NVD: CVE-2009-0556.
• Instrument Office telemetry: alert on PowerPoint opening external presentations followed by abnormal child processes or script hosts indicative of RCE chains linked to this parsing flaw MITRE CVE record.
• Tighten content inspection: scan for malformed OutlineTextRefAtom index patterns in inbound PPT content to catch the corruption trigger early in the pipeline NVD: CVE-2009-0556.
• Validate coverage: ensure EDR rules and email gateways treat CVE-2009-0556 as a high-severity document exploit path tied to PowerPoint parsing CISA KEV catalog.

Lyrie Verdict

This is classic file-parse RCE: a crafted OutlineTextRefAtom with an invalid index flips parsing into attacker code at open-time NVD: CVE-2009-0556. Lyrie treats document ingestion as hostile and performs autonomous, structure-aware pre-execution parsing to identify out-of-bounds index references in PowerPoint atoms, quarantining the file before Office ever touches it MITRE CVE record. We pin decisions to machine-speed signals from the parser path and process graph, auto-blocking Office spawn chains that correlate with malformed PPT indicators linked to CVE-2009-0556 without waiting for human triage CISA KEV catalog. Against rogue AI-generated lure campaigns that can mutate content rapidly, deterministic structure checks on OutlineTextRefAtom indices remain invariant anchors that our autonomous layer enforces at ingest time NVD: CVE-2009-0556.