Skip to main content

Microsoft CVE-2026-32188

| EUVDEUVD-2026-22567 HIGH
Out-of-bounds Read (CWE-125)
2026-04-14 microsoft
7.1
CVSS 3.1 · NVD
Temporal: 6.2
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
6.2 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 19:22 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22567
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:57 nvd
HIGH 7.1

DescriptionCVE.org

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.

AnalysisAI

Out-of-bounds read vulnerability (CWE-125) in Microsoft Excel allows local attackers to disclose sensitive memory contents and cause denial of service through maliciously crafted spreadsheet files with user interaction. Affects Microsoft Office 2016/2019, Office LTSC 2021/2024, Microsoft 365 Apps for Enterprise, and Office Online Server across Windows and macOS platforms. CVSS 7.1 reflects high confidentiality and availability impact with low attack complexity but requires local access and user interaction. No public exploit identified at time of analysis. Vendor-released patches available through Microsoft Security Response Center covering all affected Office product lines.

Technical ContextAI

This vulnerability stems from CWE-125 (Out-of-bounds Read), a memory safety flaw where the Excel application reads data beyond allocated buffer boundaries during spreadsheet file parsing. When processing malformed Excel documents, the parser fails to properly validate array indices or buffer lengths, allowing access to adjacent memory regions. The affected products span multiple Microsoft Office ecosystems: perpetual licenses (Excel 2016 version 16.0.0.0-16.0.5548.1000, Office 2019 19.0.0), volume-licensed LTSC editions (LTSC 2021/2024 starting from 16.0.1 and 16.0.0 respectively), subscription-based Microsoft 365 Apps for Enterprise (16.0.1), macOS LTSC variants (LTSC for Mac 2021/2024 versions below 16.108.26041219), and server deployments (Office Online Server 16.0.0.0-16.0.10417.20113). The CPE identifiers confirm cross-platform impact affecting both Windows and macOS deployments, indicating a core parsing engine vulnerability rather than platform-specific code.

RemediationAI

Apply vendor-released patches immediately through Microsoft Update or volume licensing service channels referencing Microsoft Security Response Center guidance at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32188. For Office Online Server, upgrade to version 16.0.10417.20113 or later. For Microsoft Office LTSC for Mac 2021 and 2024, update to version 16.108.26041219 or later. For Microsoft Excel 2016, apply update to version 16.0.5548.1000 or later. Microsoft Office 2019, Office LTSC 2021/2024, and Microsoft 365 Apps for Enterprise users should consult monthly security release guidance at https://aka.ms/OfficeSecurityReleases for specific patch builds corresponding to their deployment channel (Current, Monthly Enterprise, Semi-Annual Enterprise). Until patches are deployed, implement defense-in-depth controls including restricting Excel file opening from untrusted sources, enabling Protected View for files from Internet and external locations, and user awareness training on suspicious spreadsheet attachments. Consider application control policies limiting Excel execution to necessary user populations in high-security environments.

Share

CVE-2026-32188 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy