Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
AnalysisAI
Local code execution in Microsoft Office Excel stems from an integer underflow that, when triggered by opening a crafted spreadsheet, allows an attacker to run arbitrary code in the context of the current user. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R) confirms exploitation requires the victim to open a malicious file, and there is no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to open an attacker-crafted Excel document on a vulnerable Office installation; the AV:L/UI:R vector confirms the malicious file must reach and be processed locally by Excel, with no network-service exposure. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) describes a classic client-side document attack: low complexity, no privileges, but mandatory user interaction (opening the file), with high impact on all three CIA properties limited to the user's own context (S:U). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends a target user a crafted Excel workbook as an email attachment or hosted download, typically themed as an invoice, HR document, or shared report. When the victim opens the file (and, if applicable, dismisses Protected View), Excel's parser triggers the integer underflow during processing of a malformed record, corrupting memory and executing attacker-supplied shellcode in the user's session - leading to credential theft, ransomware staging, or lateral movement. … |
| Remediation | Apply the Microsoft security update for CVE-2026-44823 as published on the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44823; the exact patched build is not included in the input data and should be taken directly from that advisory for each affected Office channel (Click-to-Run, MSI, LTSC). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Disable macro execution in Excel via Group Policy (Office > Security Center > Trust Center Settings > Disable All Macros) and issue alert to end users to avoid opening spreadsheets from untrusted sources. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Microsoft Office contains a security feature bypass (CVE-2026-21509, CVSS 7.8) where reliance on untrusted inputs in sec
Microsoft Office Word contains a security decision bypass (CVE-2026-21514, CVSS 7.8) through reliance on untrusted input
Use-after-free vulnerability in Microsoft Office Word that allows local, unauthenticated attackers to execute arbitrary
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. Rated high severity (C
Use-after-free vulnerability in Microsoft Office Excel that allows local code execution with high severity (CVSS 7.8). A
Use-after-free vulnerability in Microsoft Office PowerPoint that allows an unauthenticated local attacker to execute arb
Improper input validation in Microsoft Office Outlook allows an authorized attacker to execute code locally.
Microsoft Office Word contains an out-of-bounds read vulnerability that enables local code execution on affected systems
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. [CVSS 8.4 HIGH]
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. [CVSS 8.4 HIGH]
Local code execution in Microsoft Office Word arises from an untrusted pointer dereference (CWE-822) that can be trigger
Local code execution in Microsoft Office Word is possible when a user opens a maliciously crafted document that triggers
Same weakness CWE-197 – Numeric Truncation Error
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35665
GHSA-69c6-79jc-fjhr