Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Exploitation is via opening a crafted document (AV:L, UI:R) with no prior privileges (PR:N); successful use-after-free yields code execution in user context, giving full C:H/I:H/A:H.
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
AnalysisAI
Local code execution in Microsoft Office (2016, 2019, LTSC 2021/2024, Microsoft 365 Apps for Enterprise, and Office for Mac) stems from a use-after-free memory corruption (CWE-416) that an attacker triggers when a victim opens a maliciously crafted document. Rated CVSS 7.8 with high confidentiality, integrity, and availability impact, exploitation requires user interaction but no prior authentication, letting an attacker run arbitrary code in the context of the current user. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a user to open an attacker-supplied malicious Office document (UI:R in the CVSS vector) on an affected Office build; the attacker needs no prior authentication or privileges on the target (PR:N), and the attack executes locally through the document rather than over the network (AV:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals point to a realistic but not emergency-grade risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker emails or otherwise delivers a specially crafted Office document to a target and lures them into opening it (and, if applicable, exiting Protected View). Opening the file triggers the use-after-free, corrupting memory so the attacker's payload executes arbitrary code with the victim's privileges - typically the first foothold for credential theft or lateral movement. … |
| Remediation | Apply the Microsoft-provided update for your Office channel; patch is available per vendor advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55018 - the supplied data does not enumerate an exact fixed build, so pull the specific patched version for each SKU (Click-to-Run for Microsoft 365 Apps, MSI/LTSC packages, and the Mac AutoUpdate channel) directly from that MSRC page. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all Office deployments (Windows and Mac) across the organization and assess user exposure, particularly for roles handling external documents or email attachments; communicate patch availability to IT operations and security teams. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Local code execution in Microsoft Word (and Office/SharePoint components that render Word content) stems from an integer
Local code execution in Microsoft Office (2016, 2019, LTSC 2021/2024, Microsoft 365 Apps, and the macOS editions) arises
Arbitrary code execution in Microsoft Office Word (and the broader Office/365/SharePoint family) arises from a stack-bas
Local code execution in Microsoft Office (including Microsoft 365 Apps for Enterprise, Office 2016/2019, and Office LTSC
Local code execution in Microsoft Word (part of Microsoft 365 Apps, Office 2019, Office LTSC 2021/2024, and Office for M
Local arbitrary code execution in Microsoft Office (2016, 2019, LTSC 2021/2024, Microsoft 365 Apps for Enterprise, and O
Arbitrary code execution in Microsoft PowerPoint (and the broader Microsoft Office/365 suite on Windows and macOS) arise
Local code execution in Microsoft Office PowerPoint (including Microsoft 365 Apps, Office 2019, Office LTSC 2021/2024, a
Local code execution in Microsoft Office PowerPoint (CWE-122 heap-based buffer overflow) lets an unauthorized attacker r
Local code execution in Microsoft Word (and the wider Microsoft Office / Microsoft 365 Apps family) lets an unauthorized
Local code execution in Microsoft Office (2016, 2019, LTSC 2021/2024, Microsoft 365 Apps, and Office for Mac 2021/2024)
Local code execution in Microsoft Word (Office 2016/2019, Microsoft 365 Apps, Office LTSC 2021/2024) arises from a heap-
Same weakness CWE-416 – Use After Free
View allSame technique Use After Free
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44163
GHSA-65j6-99mv-3xg6