Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Document-open flaw: file delivered remotely but parsed locally (AV:L), no auth needed (PR:N) yet victim must open the file (UI:R), yielding full user-context compromise (C/I/A:H).
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Buffer over-read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
AnalysisAI
Local arbitrary code execution in Microsoft Excel arises from a buffer over-read (CWE-126) triggered when a victim opens a maliciously crafted spreadsheet, letting an attacker run code in the context of the current user. The flaw spans Office 2016/2019, Microsoft 365 Apps, Office LTSC 2021/2024 (Windows and Mac) and Office Online Server; a vendor patch is available via MSRC. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a user to open or preview an attacker-crafted Excel document with a vulnerable Office/Excel build (Office 2016/2019, Microsoft 365 Apps, Office LTSC 2021/2024 Windows or Mac, or Office Online Server) - the UI:R metric confirms victim interaction is mandatory, which is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, base 7.8) describes a local, low-complexity, unauthenticated-but-user-interaction-dependent flaw with high impact to confidentiality, integrity and availability - the classic 'open a malicious document' profile rather than a remotely wormable bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker emails or hosts a crafted .xlsx/.xls file and lures a user into opening it; when Excel parses the malformed structure, the buffer over-read is triggered and attacker-controlled code executes with the victim's privileges. Because the CVSS vector requires user interaction (UI:R) and local execution (AV:L), the attack hinges on social engineering rather than an unattended network exploit. … |
| Remediation | Patch available per vendor advisory - apply the Microsoft security update for your Office channel referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55036; for click-to-run products (Microsoft 365 Apps, Office 365 for Mac) ensure automatic updates are enabled so the current channel build installs, and for MSI/LTSC 2016/2019/2021/2024 and Office Online Server deploy the corresponding monthly security update. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit your environment to identify all systems running Microsoft Office 2016, 2019, Microsoft 365 Apps, or Office LTSC 2021/2024 (both Windows and Mac), and advise users to avoid opening spreadsheets from untrusted sources pending remediation. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Local code execution in Microsoft Word (and Office/SharePoint components that render Word content) stems from an integer
Local code execution in Microsoft Office (2016, 2019, LTSC 2021/2024, Microsoft 365 Apps, and the macOS editions) arises
Arbitrary code execution in Microsoft Office Word (and the broader Office/365/SharePoint family) arises from a stack-bas
Local code execution in Microsoft Office (including Microsoft 365 Apps for Enterprise, Office 2016/2019, and Office LTSC
Local code execution in Microsoft Word (part of Microsoft 365 Apps, Office 2019, Office LTSC 2021/2024, and Office for M
Local arbitrary code execution in Microsoft Office (2016, 2019, LTSC 2021/2024, Microsoft 365 Apps for Enterprise, and O
Arbitrary code execution in Microsoft PowerPoint (and the broader Microsoft Office/365 suite on Windows and macOS) arise
Local code execution in Microsoft Office PowerPoint (including Microsoft 365 Apps, Office 2019, Office LTSC 2021/2024, a
Local code execution in Microsoft Office PowerPoint (CWE-122 heap-based buffer overflow) lets an unauthorized attacker r
Local code execution in Microsoft Word (and the wider Microsoft Office / Microsoft 365 Apps family) lets an unauthorized
Local code execution in Microsoft Office (2016, 2019, LTSC 2021/2024, Microsoft 365 Apps for Enterprise, and Office for
Local code execution in Microsoft Office (2016, 2019, LTSC 2021/2024, Microsoft 365 Apps, and Office for Mac 2021/2024)
Same weakness CWE-126 – Buffer Over-read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44194
GHSA-mp23-5v8j-rg6j