Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
AnalysisAI
Local code execution in Microsoft Office Excel arises from an integer underflow condition that corrupts memory when a malicious spreadsheet is opened. The flaw requires user interaction (UI:R) to trigger but needs no prior authentication, enabling attackers to run arbitrary code in the security context of the victim user. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The victim must open an attacker-supplied Excel workbook in a vulnerable build of Microsoft Office Excel - the CVSS vector confirms local attack vector (AV:L) with required user interaction (UI:R) and no prior authentication (PR:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H yields a base score of 7.8 (High), reflecting a local attack vector that nonetheless delivers full confidentiality, integrity, and availability impact once a user opens a crafted file. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious Excel workbook that triggers the integer underflow when parsed and delivers it via phishing email, a OneDrive/SharePoint share, or a watering-hole download. When the victim opens the file and dismisses Protected View (or the file is delivered through a trusted channel that bypasses it), the underflow corrupts memory inside excel.exe and yields arbitrary code execution at the user's privilege level, which the attacker uses for initial access and credential theft. |
| Remediation | Apply the patch available per vendor advisory by installing the corresponding Microsoft Patch Tuesday update for Excel referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44817 across all affected Office channels (Microsoft 365 Apps Current/Monthly Enterprise, Semi-Annual, and standalone Office 2019/2021/2024 builds); exact fix build numbers are listed in that MSRC entry and should be taken from there directly rather than inferred. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Conduct inventory of Excel usage patterns; communicate vulnerability advisory to all users emphasizing file source validation and suspicious file reporting. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Microsoft Office contains a security feature bypass (CVE-2026-21509, CVSS 7.8) where reliance on untrusted inputs in sec
Microsoft Office Word contains a security decision bypass (CVE-2026-21514, CVSS 7.8) through reliance on untrusted input
Use-after-free vulnerability in Microsoft Office Word that allows local, unauthenticated attackers to execute arbitrary
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. Rated high severity (C
Use-after-free vulnerability in Microsoft Office Excel that allows local code execution with high severity (CVSS 7.8). A
Use-after-free vulnerability in Microsoft Office PowerPoint that allows an unauthenticated local attacker to execute arb
Improper input validation in Microsoft Office Outlook allows an authorized attacker to execute code locally.
Microsoft Office Word contains an out-of-bounds read vulnerability that enables local code execution on affected systems
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. [CVSS 8.4 HIGH]
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. [CVSS 8.4 HIGH]
Local code execution in Microsoft Office Word arises from an untrusted pointer dereference (CWE-822) that can be trigger
Local code execution in Microsoft Office Word is possible when a user opens a maliciously crafted document that triggers
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35660
GHSA-2p34-ppjg-jr32