Skip to main content

Microsoft EUVDEUVD-2026-22571

| CVE-2026-32190 HIGH
Use After Free (CWE-416)
2026-04-14 microsoft GHSA-mwrw-28vj-pp5f
8.4
CVSS 3.1 · NVD
Temporal: 7.3
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
7.3 HIGH
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 19:34 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22571
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:58 nvd
HIGH 8.4

DescriptionCVE.org

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

AnalysisAI

Use-after-free memory corruption in Microsoft Office (versions 2016 through LTSC 2024, including Microsoft 365 Apps for Enterprise) enables local code execution with no authentication or user interaction required. Attackers with local system access can execute arbitrary code with high impact to confidentiality, integrity, and availability (CVSS 8.4). No public exploit identified at time of analysis. Vendor-released patch available via Microsoft Security Response Center for all affected versions.

Technical ContextAI

This vulnerability exploits CWE-416 (Use After Free), a memory corruption class where a program continues to use a pointer after the memory it references has been freed. In Microsoft Office's case, the flaw exists in core Office components shared across multiple product lines (Office 2016, 2019, LTSC 2021/2024, and Microsoft 365 Apps for Enterprise) on both Windows and macOS platforms. Use-after-free conditions typically occur when object lifecycle management fails, allowing an attacker to manipulate freed memory regions before reallocation. When successfully exploited, the attacker can control program execution flow by placing malicious data in the freed memory location. The broad CPE coverage spanning cpe:2.3:a:microsoft:microsoft_365_apps_for_enterprise through cpe:2.3:a:microsoft:microsoft_office_ltsc_for_mac_2024 indicates the vulnerable code exists in shared libraries used across the entire Office product ecosystem since at least the 2016 release cycle.

RemediationAI

Apply vendor-released security updates immediately via Microsoft Update or the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32190. For Microsoft Office 2016, upgrade to version 16.0.5548.1000 or later. For Microsoft Office LTSC for Mac 2021 and 2024, upgrade to version 16.108.26041219 or later. For Microsoft Office 2019, Office LTSC 2021/2024, and Microsoft 365 Apps for Enterprise on Windows, consult the Office Security Releases page at https://aka.ms/OfficeSecurityReleases for platform-specific patched versions. Enterprise administrators should prioritize systems where untrusted local users have access, and validate patch deployment through Microsoft Update management tools or Configuration Manager. No effective workarounds exist for use-after-free vulnerabilities; patching is the only remediation path.

Share

EUVD-2026-22571 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy