Skip to main content

Microsoft Office CVE-2025-59234

HIGH
Use After Free (CWE-416)
2025-10-14 secure@microsoft.com
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 22, 2026 - 16:30 vuln.today

DescriptionCVE.org

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

AnalysisAI

Local code execution in Microsoft Office (including 365 Apps Enterprise, Office 2016/2019, and Office LTSC 2021 across Windows, macOS, and Android) is possible when a victim opens a maliciously crafted document that triggers a use-after-free condition. An unauthorized attacker who convinces a user to open the file can execute arbitrary code in the context of the current user, with no public exploit identified at time of analysis. CVSS is 7.8 reflecting local attack vector with required user interaction but full confidentiality, integrity, and availability impact.

Technical ContextAI

The flaw is a CWE-416 Use After Free memory corruption bug within Microsoft Office's document or object handling code. Use-after-free occurs when memory is referenced after it has been deallocated, allowing an attacker who controls heap allocation patterns to place attacker-controlled data into the freed region and hijack a subsequent dereference - typically a virtual function table pointer - to redirect execution. CPE data confirms the affected technologies span the Click-to-Run Microsoft 365 Apps (Enterprise x86/x64), the MSI-based Office 2016 and 2019 product families, and the Office Long Term Servicing Channel 2021 builds on Windows (x86/x64) and macOS, plus Office for Android, indicating the vulnerable parsing code is in a shared Office component rather than a single platform-specific binary.

RemediationAI

Apply the Microsoft security updates referenced in MSRC advisory https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59234 - for Click-to-Run Microsoft 365 Apps this is delivered automatically through the Office update channel, while Office 2016, 2019, and LTSC 2021 require the corresponding Patch Tuesday MSI/MSP updates and the macOS and Android builds require updates from the Mac AutoUpdate service and Google Play respectively; exact patched build numbers are listed only in the MSRC update guide and should be cited from there rather than inferred. As compensating controls while patching, enable Protected View and Office Application Guard for documents originating from the Internet or email so untrusted files open in a sandboxed renderer, enforce Attack Surface Reduction rules that block child-process creation by Office applications and block executable content from email/webmail, and disable inbound delivery of legacy or unexpected Office formats via mail gateway policy - the trade-off is that Protected View and ASR rules can break legitimate document workflows (macros, embedded objects, automation) and need exception handling for power users.

CVE-2026-21509 HIGH
7.8 Jan 26

Microsoft Office contains a security feature bypass (CVE-2026-21509, CVSS 7.8) where reliance on untrusted inputs in sec

CVE-2026-21514 HIGH
7.8 Feb 10

Microsoft Office Word contains a security decision bypass (CVE-2026-21514, CVSS 7.8) through reliance on untrusted input

CVE-2024-21413 CRITICAL POC
9.8 Feb 13

Microsoft Outlook Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotel

CVE-2025-47957 HIGH POC
8.4 Jun 10

Use-after-free vulnerability in Microsoft Office Word that allows local, unauthenticated attackers to execute arbitrary

CVE-2022-41106 HIGH
8.8 Nov 09

Microsoft Excel Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely expl

CVE-2023-33148 HIGH POC
7.8 Jul 11

Microsoft Office Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack

CVE-2025-27751 HIGH POC
7.8 Apr 08

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. Rated high severity (C

CVE-2025-47165 HIGH POC
7.8 Jun 10

Use-after-free vulnerability in Microsoft Office Excel that allows local code execution with high severity (CVSS 7.8). A

CVE-2025-47175 HIGH POC
7.8 Jun 10

Use-after-free vulnerability in Microsoft Office PowerPoint that allows an unauthenticated local attacker to execute arb

CVE-2023-36041 HIGH POC
7.8 Nov 14

Microsoft Excel Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentica

CVE-2023-28311 HIGH POC
7.8 Apr 11

Microsoft Word Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authenticat

CVE-2023-28285 HIGH POC
7.8 Apr 11

Microsoft Office Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentic

Share

CVE-2025-59234 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy