Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
AnalysisAI
Use-after-free memory corruption in Microsoft Excel across Office 2016-2024 and Microsoft 365 enables local code execution when a user opens a malicious spreadsheet. Attackers must craft a weaponized Excel file and trick users into opening it, after which arbitrary code runs with the victim's privileges. No authentication is required, though user interaction is necessary. Exploitation probability remains moderate (CVSS 7.8) with no confirmed active exploitation (no CISA KEV listing) and no publi
Technical ContextAI
This vulnerability exploits CWE-416 (use-after-free), a class of memory corruption bugs where a program continues to reference memory after it has been freed. In Excel's parsing or rendering engine, specific spreadsheet structures trigger premature deallocation of memory objects that remain in use, allowing attackers to control the contents of freed memory regions. Subsequent operations on dangling pointers can redirect code execution to attacker-supplied payloads embedded in the malicious Excel file. Affected products span the entire modern Office ecosystem: Excel 2016 (versions prior to 16.0.5548.1000), Office 2019, Office LTSC 2021 and 2024 for both Windows and macOS (versions below 16.108.26041219 for Mac), Microsoft 365 Apps for Enterprise, and Office Online Server (versions before 16.0.10417.20113). The vulnerability resides in native code components shared across these platforms, making it a widespread cross-version issue affecting both perpetual-license and subscription-based deployments.
RemediationAI
Apply vendor-released patches immediately for all affected Office installations. For Excel 2016, upgrade to version 16.0.5548.1000 or later. For Office LTSC for Mac 2021 and 2024, upgrade to version 16.108.26041219 or later. For Microsoft Office 2019, Office LTSC 2021, Office LTSC 2024 for Windows, and Microsoft 365 Apps for Enterprise, apply the latest security updates available at https://aka.ms/OfficeSecurityReleases. For Office Online Server, upgrade to version 16.0.10417.20113 or later. Organizations unable to patch immediately should implement defense-in-depth controls including disabling Office macros by default, enabling Protected View for files from untrusted sources, deploying email attachment filtering to block suspicious Excel files, and training users to avoid opening spreadsheets from unknown senders. Detailed remediation guidance is published in Microsoft's Security Update Guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32197.
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22579
GHSA-3rjw-x5rf-9pp3