Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
AnalysisAI
Local code execution in Microsoft Office is possible when a user opens a maliciously crafted document that triggers a heap-based buffer overflow (CWE-122), allowing the attacker to run arbitrary code in the context of the opened Office process. The CVSS 7.8 (AV:L/AC:L/PR:N/UI:R) reflects a user-interaction-driven local exploit rather than a remote network attack, and no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | A user must open an attacker-supplied Office document in a vulnerable build of Microsoft Office (UI:R required per CVSS), and the vulnerable file-parsing code path must be reachable - typically meaning the document is opened outside Protected View or the user clicks 'Enable Editing'. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H describes a local attack vector requiring user interaction with no privileges, yielding full confidentiality, integrity, and availability impact on the local user's context - characteristic of an 'open-a-document' client-side RCE rather than a remote-listener bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker emails or hosts a weaponized Office document (e.g., a crafted DOCX or RTF) and lures a target user via phishing to open it; on open, the malformed structure triggers the heap-based buffer overflow inside the Office process, hijacking execution and running attacker-chosen code with the user's privileges. The implant can then steal credentials, drop secondary payloads, or move laterally - all under the identity of the victim user. … |
| Remediation | Patch available per vendor advisory - apply the Microsoft security update referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44819 across all affected Office channels (Microsoft 365 Apps, Office LTSC, and any standalone Office 2016/2019/2021/2024 builds listed by MSRC) using Windows Update, WSUS, Microsoft Intune, or Click-to-Run channel updates as appropriate. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Alert all users to avoid opening documents from untrusted sources; conduct audit of Office versions and deployment; ensure email gateways filter or sandbox Office document attachments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Microsoft Office contains a security feature bypass (CVE-2026-21509, CVSS 7.8) where reliance on untrusted inputs in sec
Microsoft Office Word contains a security decision bypass (CVE-2026-21514, CVSS 7.8) through reliance on untrusted input
Use-after-free vulnerability in Microsoft Office Word that allows local, unauthenticated attackers to execute arbitrary
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. Rated high severity (C
Use-after-free vulnerability in Microsoft Office Excel that allows local code execution with high severity (CVSS 7.8). A
Use-after-free vulnerability in Microsoft Office PowerPoint that allows an unauthenticated local attacker to execute arb
Improper input validation in Microsoft Office Outlook allows an authorized attacker to execute code locally.
Microsoft Office Word contains an out-of-bounds read vulnerability that enables local code execution on affected systems
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. [CVSS 8.4 HIGH]
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. [CVSS 8.4 HIGH]
Local code execution in Microsoft Office Word arises from an untrusted pointer dereference (CWE-822) that can be trigger
Local code execution in Microsoft Office Word is possible when a user opens a maliciously crafted document that triggers
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35662
GHSA-3rh7-cg3h-rr3p