Microsoft Office
CVE-2025-59227
HIGH
Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
AnalysisAI
Local code execution in Microsoft Office (including Microsoft 365 Apps Enterprise, Office 2016/2019, and Office LTSC 2021 across Windows x86/x64, macOS, and Android) arises from a use-after-free memory corruption (CWE-416) that an attacker can trigger by convincing a user to open a crafted document. Exploitation runs in the context of the current user with high impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Technical ContextAI
The flaw is a CWE-416 use-after-free in the Microsoft Office suite - a class of memory corruption where code continues to reference heap memory after it has been freed, enabling an attacker to reclaim that allocation with controlled data and hijack execution flow when the dangling pointer is dereferenced. Office's document parsers (Word, Excel, PowerPoint, and shared rich-text/OLE components) historically reuse complex object models for parsing structured file formats, and lifetime bugs in those object graphs are a recurring source of UAF conditions. The CPE list shows the defect spans the entire current Office estate: Microsoft 365 Apps (Enterprise x86/x64), perpetual Office 2016 and 2019, and Office LTSC 2021 on Windows x86/x64 and macOS, plus Office on Android, indicating the vulnerable component is shared across platforms rather than being OS-specific.
RemediationAI
Apply the Microsoft security update referenced in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59227 for each affected channel - Microsoft 365 Apps via Click-to-Run servicing, Office 2016/2019/LTSC 2021 via Microsoft Update or the corresponding MSP/MSI packages, and the Android build via the Play Store - using the exact fixed build listed in that advisory (specific fixed versions are not included in the input data, so consult MSRC for the exact KB/build per SKU). Until the patch is deployed, compensating controls include enabling Protected View and Office Application Guard for files originating from the internet or email so untrusted documents are parsed in a sandboxed container, blocking or quarantining Office attachments at the mail gateway from external senders, and enabling Microsoft Defender Attack Surface Reduction rules that block Office from creating child processes and from executing downloaded executable content - these reduce post-exploitation impact but do not address the underlying parser bug and can break legitimate macros, add-ins, or workflows that rely on child-process spawning.
Microsoft Office contains a security feature bypass (CVE-2026-21509, CVSS 7.8) where reliance on untrusted inputs in sec
Microsoft Office Word contains a security decision bypass (CVE-2026-21514, CVSS 7.8) through reliance on untrusted input
Microsoft Outlook Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Use-after-free vulnerability in Microsoft Office Word that allows local, unauthenticated attackers to execute arbitrary
Microsoft Excel Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely expl
Microsoft Office Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. Rated high severity (C
Use-after-free vulnerability in Microsoft Office Excel that allows local code execution with high severity (CVSS 7.8). A
Use-after-free vulnerability in Microsoft Office PowerPoint that allows an unauthenticated local attacker to execute arb
Microsoft Excel Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentica
Microsoft Word Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authenticat
Microsoft Office Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentic
Same weakness CWE-416 – Use After Free
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today