Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
AnalysisAI
Use-after-free memory corruption in Microsoft Office (versions 2016 through LTSC 2024, including Microsoft 365 Apps for Enterprise) enables local code execution with no authentication or user interaction required. Attackers with local system access can execute arbitrary code with high impact to confidentiality, integrity, and availability (CVSS 8.4). No public exploit identified at time of analysis. Vendor-released patch available via Microsoft Security Response Center for all affected versions.
Technical ContextAI
This vulnerability exploits CWE-416 (Use After Free), a memory corruption class where a program continues to use a pointer after the memory it references has been freed. In Microsoft Office's case, the flaw exists in core Office components shared across multiple product lines (Office 2016, 2019, LTSC 2021/2024, and Microsoft 365 Apps for Enterprise) on both Windows and macOS platforms. Use-after-free conditions typically occur when object lifecycle management fails, allowing an attacker to manipulate freed memory regions before reallocation. When successfully exploited, the attacker can control program execution flow by placing malicious data in the freed memory location. The broad CPE coverage spanning cpe:2.3:a:microsoft:microsoft_365_apps_for_enterprise through cpe:2.3:a:microsoft:microsoft_office_ltsc_for_mac_2024 indicates the vulnerable code exists in shared libraries used across the entire Office product ecosystem since at least the 2016 release cycle.
RemediationAI
Apply vendor-released security updates immediately via Microsoft Update or the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32190. For Microsoft Office 2016, upgrade to version 16.0.5548.1000 or later. For Microsoft Office LTSC for Mac 2021 and 2024, upgrade to version 16.108.26041219 or later. For Microsoft Office 2019, Office LTSC 2021/2024, and Microsoft 365 Apps for Enterprise on Windows, consult the Office Security Releases page at https://aka.ms/OfficeSecurityReleases for platform-specific patched versions. Enterprise administrators should prioritize systems where untrusted local users have access, and validate patch deployment through Microsoft Update management tools or Configuration Manager. No effective workarounds exist for use-after-free vulnerabilities; patching is the only remediation path.
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22571
GHSA-mwrw-28vj-pp5f