Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
AnalysisAI
Use-after-free vulnerability in Microsoft Office Excel enables local code execution when users open maliciously crafted Excel files. Affects all major Office versions including Microsoft 365 Apps for Enterprise, Excel 2016, Office 2019, Office LTSC 2021/2024 (Windows and Mac), and Office Online Server. Attack requires no authentication (PR:N) but demands user interaction (opening a weaponized document). CVSS 7.8 (High) reflects significant impact potential (code execution with high confidentiali
Technical ContextAI
This vulnerability represents a CWE-416 use-after-free memory corruption flaw in Excel's file parsing engine. Use-after-free conditions occur when application code continues referencing memory after it has been deallocated, allowing attackers to manipulate freed memory regions and redirect program execution flow. The affected CPE scope indicates the vulnerability exists across Microsoft's entire Office product ecosystem spanning perpetual licenses (Excel 2016, Office 2019), subscription-based deployments (Microsoft 365 Apps for Enterprise), volume licensing channels (Office LTSC 2021/2024 for Windows and macOS), and server-side rendering components (Office Online Server). The consistent version patterns across products suggest a shared codebase vulnerability in Excel's document processing library, likely within format parsing routines that handle legacy .xls or modern .xlsx file structures. The memory corruption class enables arbitrary code execution when Excel processes specially crafted spreadsheet elements that trigger the use-after-free condition during object lifecycle management.
RemediationAI
Apply vendor-released security updates immediately from Microsoft Security Response Center. For Microsoft Excel 2016, upgrade to version 16.0.5548.1000 or later. For Office Online Server, deploy version 16.0.10417.20113 or later. For Office LTSC 2021/2024 on macOS, upgrade to version 16.108.26041219 or later. For Office 2019, Office LTSC 2021/2024 on Windows, and Microsoft 365 Apps for Enterprise, consult the version-specific patch matrix at https://aka.ms/OfficeSecurityReleases and deploy through Windows Update, Microsoft Update, or enterprise patch management systems. As interim mitigation where immediate patching is not feasible, enforce Office Protected View for files from untrusted sources, block Excel file attachments at email gateways, and educate users on risks of opening unsolicited spreadsheet documents. Disable macros and ActiveX controls organization-wide unless business-critical. For Office Online Server deployments, consider network segmentation to limit exposure until patches are applied. Full remediation guidance at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32198.
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22581