Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Lifecycle Timeline
6DescriptionCVE.org
Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.
AnalysisAI
Out-of-bounds read vulnerability (CWE-125) in Microsoft Excel allows local attackers to disclose sensitive memory contents and cause denial of service through maliciously crafted spreadsheet files with user interaction. Affects Microsoft Office 2016/2019, Office LTSC 2021/2024, Microsoft 365 Apps for Enterprise, and Office Online Server across Windows and macOS platforms. CVSS 7.1 reflects high confidentiality and availability impact with low attack complexity but requires local access and user interaction. No public exploit identified at time of analysis. Vendor-released patches available through Microsoft Security Response Center covering all affected Office product lines.
Technical ContextAI
This vulnerability stems from CWE-125 (Out-of-bounds Read), a memory safety flaw where the Excel application reads data beyond allocated buffer boundaries during spreadsheet file parsing. When processing malformed Excel documents, the parser fails to properly validate array indices or buffer lengths, allowing access to adjacent memory regions. The affected products span multiple Microsoft Office ecosystems: perpetual licenses (Excel 2016 version 16.0.0.0-16.0.5548.1000, Office 2019 19.0.0), volume-licensed LTSC editions (LTSC 2021/2024 starting from 16.0.1 and 16.0.0 respectively), subscription-based Microsoft 365 Apps for Enterprise (16.0.1), macOS LTSC variants (LTSC for Mac 2021/2024 versions below 16.108.26041219), and server deployments (Office Online Server 16.0.0.0-16.0.10417.20113). The CPE identifiers confirm cross-platform impact affecting both Windows and macOS deployments, indicating a core parsing engine vulnerability rather than platform-specific code.
RemediationAI
Apply vendor-released patches immediately through Microsoft Update or volume licensing service channels referencing Microsoft Security Response Center guidance at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32188. For Office Online Server, upgrade to version 16.0.10417.20113 or later. For Microsoft Office LTSC for Mac 2021 and 2024, update to version 16.108.26041219 or later. For Microsoft Excel 2016, apply update to version 16.0.5548.1000 or later. Microsoft Office 2019, Office LTSC 2021/2024, and Microsoft 365 Apps for Enterprise users should consult monthly security release guidance at https://aka.ms/OfficeSecurityReleases for specific patch builds corresponding to their deployment channel (Current, Monthly Enterprise, Semi-Annual Enterprise). Until patches are deployed, implement defense-in-depth controls including restricting Excel file opening from untrusted sources, enabling Protected View for files from Internet and external locations, and user awareness training on suspicious spreadsheet attachments. Consider application control policies limiting Excel execution to necessary user populations in high-security environments.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22567