Office 2019
Monthly
Local code execution in Microsoft Office is possible through a heap-based buffer overflow (CWE-822) that triggers when a user opens a maliciously crafted document. The CVSS 7.8 vector (AV:L/AC:L/PR:N/UI:R) reflects a classic client-side file-format attack requiring user interaction but no prior authentication, yielding full confidentiality, integrity, and availability impact on the targeted workstation. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but Office document parsers are historically high-value targets and the vulnerability was reported by Microsoft's own MSRC team.
Out-of-bounds read in Microsoft Office and SharePoint Server exposes low-level memory contents to a local attacker when a victim opens a crafted document. Affected products span Microsoft 365 Apps for Enterprise, Office 2016/2019/LTSC 2021/2024, Office for Mac variants, and SharePoint Server 2016/2019/Subscription Edition - all at version 16.0.x baselines. The CVSS score of 3.3 (Low) reflects constrained impact: confidentiality is only partially affected, integrity and availability are untouched, and exploitation requires both local access and user interaction. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Local code execution in Microsoft Office is possible through a heap-based buffer overflow (CWE-122) that an unauthenticated attacker can trigger when a user opens a crafted document. The CVSS 3.1 base score of 7.8 reflects high impact to confidentiality, integrity, and availability, with required user interaction limiting mass exploitation. There is no public exploit identified at time of analysis and the issue is not currently listed on the CISA KEV catalog.
Local code execution in Microsoft Office is possible through a heap-based buffer overflow that an unauthorized attacker can trigger without user interaction. The flaw carries a CVSS 3.1 score of 8.4 with high impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Despite requiring local access, the absence of authentication and user-interaction requirements makes this a notable priority for endpoint patching cycles.
Local code execution in Microsoft Office via a heap-based buffer overflow allows an unauthorized attacker to run arbitrary code with the privileges of the user opening a malicious document. The CVSS vector (AV:L/PR:N/UI:N) indicates local attack vector without required authentication or user interaction, an unusual combination that warrants verification against the vendor advisory. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Local code execution in Microsoft Office Word enables an attacker to run arbitrary code in the context of the current user by tricking them into opening a malicious document that triggers an untrusted pointer dereference. With a CVSS 7.8 score and no public exploit identified at time of analysis, the flaw is exploited locally but unauthenticated, relying on user interaction to open a crafted file. Microsoft has issued an advisory via the MSRC Security Update Guide.
Local code execution in Microsoft Office Excel results from an integer underflow (CWE-122 heap-based) that allows an unauthorized attacker to run arbitrary code in the context of the user opening a crafted spreadsheet. The CVSS 7.8 score reflects local attack vector with required user interaction, and no public exploit identified at time of analysis. Microsoft (secure@microsoft.com) is the originating CNA, and the issue is tagged as a buffer/heap overflow class flaw.
Local code execution in Microsoft Office is possible via a heap-based buffer overflow that an unauthorized attacker can trigger without user interaction, yielding full confidentiality, integrity, and availability impact on the host. The flaw is rated 8.4 (CVSS:3.1) and was disclosed by Microsoft's Security Response Center, but no public exploit has been identified at the time of analysis. Despite the CWE-121 tagging as a stack overflow, the description and CWE-122 class indicate the corruption occurs on the heap, so defenders should treat this as a memory-corruption RCE-class issue requiring prompt patching.
Local code execution in Microsoft Office via a heap-based buffer overflow that lets an unauthorized attacker run arbitrary code in the context of the current user. The flaw carries a CVSS 8.4 rating driven by high impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Despite the 'unauthorized' wording, the CVSS vector specifies a local attack vector, indicating the attacker must already be able to deliver a crafted file or run code on the target system.
Out-of-bounds read (buffer over-read) in Microsoft Office exposes sensitive memory contents to a local attacker who can induce a user to open a specially crafted file. Affecting a broad surface including Microsoft 365 Apps for Enterprise, Office LTSC 2021/2024, Office 2019, and mobile/Mac variants, the vulnerability carries a CVSS 4.7 (Medium) with high confidentiality impact but no integrity or availability consequence. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the wide deployment footprint of Microsoft Office makes even targeted information disclosure attacks operationally significant.
Local code execution in Microsoft Office via a type confusion flaw (CWE-416) permits unauthorized attackers to run arbitrary code in the context of the Office process without requiring privileges or user interaction. The issue carries a high CVSS 3.1 score of 8.4 with full impact across confidentiality, integrity, and availability, though exploitation requires local attack vector access to the target system. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Local code execution in Microsoft Office stems from a type confusion (CWE-843) flaw that allows an unauthenticated attacker with local access to run arbitrary code in the context of the Office process. The CVSS 8.4 score reflects high impact on confidentiality, integrity, and availability without requiring privileges or user interaction, though the attack vector is local. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV.
Out-of-bounds read in Microsoft Excel exposes limited memory contents to a local attacker when a user opens a specially crafted workbook. Affected product lines span Excel 2016, Office 2019, Office LTSC 2021/2024, Microsoft 365 Apps for Enterprise, Office Online Server, and multiple Mac variants. With a CVSS score of 3.3 (Low), no public exploit identified at time of analysis, and no CISA KEV listing, this is a low-urgency information disclosure issue - though a notable conflict exists between the description's claim of network-based disclosure and the CVSS AV:L (local) vector that warrants verification against the vendor advisory.
Local code execution in Microsoft Office is possible through a heap-based buffer overflow (CWE-122) that triggers when a user opens or previews a maliciously crafted document. The CVSS 7.8 score reflects local attack vector with required user interaction, and no public exploit identified at time of analysis. Successful exploitation yields full confidentiality, integrity, and availability impact in the context of the current user.
Local code execution in Microsoft Office Excel stems from an integer underflow that, when triggered by opening a crafted spreadsheet, allows an attacker to run arbitrary code in the context of the current user. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R) confirms exploitation requires the victim to open a malicious file, and there is no public exploit identified at time of analysis. With a base score of 7.8 and full confidentiality, integrity, and availability impact, successful exploitation effectively gives the attacker the victim's privileges on the host.
Information disclosure in Microsoft Office Excel allows remote unauthenticated attackers to read out-of-bounds memory over a network, potentially exposing sensitive data from process memory. The CVSS 8.2 score reflects high confidentiality impact with no authentication or user interaction required per the CVSS vector. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.
Out-of-bounds read in Microsoft Office triggers local information disclosure when a victim opens a crafted document, exposing adjacent memory contents with high confidentiality impact. The vulnerability spans a wide product surface including Office 2016 through LTSC 2024, Microsoft 365 Apps for Enterprise, multiple SharePoint Server versions, and Mac variants, as confirmed by EUVD-2026-35664. No public exploit or CISA KEV listing is identified at time of analysis; vendor-released patches are available across affected product lines.
Local code execution in Microsoft Office Excel stems from an integer underflow condition that can be triggered when a victim opens a malicious spreadsheet, leading to out-of-bounds memory access (CWE-125). The flaw requires user interaction but no prior authentication on the target, and no public exploit identified at time of analysis. With a CVSS of 7.8 (high) and the typical phishing-friendly delivery model of Office files, this fits the profile of a document-based client-side RCE primitive.
Local code execution in Microsoft Office is possible when a user opens a maliciously crafted document that triggers a heap-based buffer overflow (CWE-122), allowing the attacker to run arbitrary code in the context of the opened Office process. The CVSS 7.8 (AV:L/AC:L/PR:N/UI:R) reflects a user-interaction-driven local exploit rather than a remote network attack, and no public exploit identified at time of analysis. The flaw was reported through Microsoft Security Response Center (secure@microsoft.com) and is tracked in MSRC's update guide.
Local code execution in Microsoft Office Excel can be achieved by an unauthenticated attacker who tricks a user into opening a malicious spreadsheet that triggers an integer underflow condition. The flaw carries a CVSS 7.0 rating reflecting high attack complexity and required user interaction, and no public exploit identified at time of analysis. There is a notable mismatch between the description (integer underflow) and the assigned CWE-362 (race condition), which warrants verification with Microsoft's advisory.
Local code execution in Microsoft Office Excel arises from an integer underflow condition that corrupts memory when a malicious spreadsheet is opened. The flaw requires user interaction (UI:R) to trigger but needs no prior authentication, enabling attackers to run arbitrary code in the security context of the victim user. At the time of analysis, no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local code execution in Microsoft Office is possible through a heap-based buffer overflow (CWE-822) that triggers when a user opens a maliciously crafted document. The CVSS 7.8 vector (AV:L/AC:L/PR:N/UI:R) reflects a classic client-side file-format attack requiring user interaction but no prior authentication, yielding full confidentiality, integrity, and availability impact on the targeted workstation. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but Office document parsers are historically high-value targets and the vulnerability was reported by Microsoft's own MSRC team.
Out-of-bounds read in Microsoft Office and SharePoint Server exposes low-level memory contents to a local attacker when a victim opens a crafted document. Affected products span Microsoft 365 Apps for Enterprise, Office 2016/2019/LTSC 2021/2024, Office for Mac variants, and SharePoint Server 2016/2019/Subscription Edition - all at version 16.0.x baselines. The CVSS score of 3.3 (Low) reflects constrained impact: confidentiality is only partially affected, integrity and availability are untouched, and exploitation requires both local access and user interaction. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Local code execution in Microsoft Office is possible through a heap-based buffer overflow (CWE-122) that an unauthenticated attacker can trigger when a user opens a crafted document. The CVSS 3.1 base score of 7.8 reflects high impact to confidentiality, integrity, and availability, with required user interaction limiting mass exploitation. There is no public exploit identified at time of analysis and the issue is not currently listed on the CISA KEV catalog.
Local code execution in Microsoft Office is possible through a heap-based buffer overflow that an unauthorized attacker can trigger without user interaction. The flaw carries a CVSS 3.1 score of 8.4 with high impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Despite requiring local access, the absence of authentication and user-interaction requirements makes this a notable priority for endpoint patching cycles.
Local code execution in Microsoft Office via a heap-based buffer overflow allows an unauthorized attacker to run arbitrary code with the privileges of the user opening a malicious document. The CVSS vector (AV:L/PR:N/UI:N) indicates local attack vector without required authentication or user interaction, an unusual combination that warrants verification against the vendor advisory. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Local code execution in Microsoft Office Word enables an attacker to run arbitrary code in the context of the current user by tricking them into opening a malicious document that triggers an untrusted pointer dereference. With a CVSS 7.8 score and no public exploit identified at time of analysis, the flaw is exploited locally but unauthenticated, relying on user interaction to open a crafted file. Microsoft has issued an advisory via the MSRC Security Update Guide.
Local code execution in Microsoft Office Excel results from an integer underflow (CWE-122 heap-based) that allows an unauthorized attacker to run arbitrary code in the context of the user opening a crafted spreadsheet. The CVSS 7.8 score reflects local attack vector with required user interaction, and no public exploit identified at time of analysis. Microsoft (secure@microsoft.com) is the originating CNA, and the issue is tagged as a buffer/heap overflow class flaw.
Local code execution in Microsoft Office is possible via a heap-based buffer overflow that an unauthorized attacker can trigger without user interaction, yielding full confidentiality, integrity, and availability impact on the host. The flaw is rated 8.4 (CVSS:3.1) and was disclosed by Microsoft's Security Response Center, but no public exploit has been identified at the time of analysis. Despite the CWE-121 tagging as a stack overflow, the description and CWE-122 class indicate the corruption occurs on the heap, so defenders should treat this as a memory-corruption RCE-class issue requiring prompt patching.
Local code execution in Microsoft Office via a heap-based buffer overflow that lets an unauthorized attacker run arbitrary code in the context of the current user. The flaw carries a CVSS 8.4 rating driven by high impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Despite the 'unauthorized' wording, the CVSS vector specifies a local attack vector, indicating the attacker must already be able to deliver a crafted file or run code on the target system.
Out-of-bounds read (buffer over-read) in Microsoft Office exposes sensitive memory contents to a local attacker who can induce a user to open a specially crafted file. Affecting a broad surface including Microsoft 365 Apps for Enterprise, Office LTSC 2021/2024, Office 2019, and mobile/Mac variants, the vulnerability carries a CVSS 4.7 (Medium) with high confidentiality impact but no integrity or availability consequence. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the wide deployment footprint of Microsoft Office makes even targeted information disclosure attacks operationally significant.
Local code execution in Microsoft Office via a type confusion flaw (CWE-416) permits unauthorized attackers to run arbitrary code in the context of the Office process without requiring privileges or user interaction. The issue carries a high CVSS 3.1 score of 8.4 with full impact across confidentiality, integrity, and availability, though exploitation requires local attack vector access to the target system. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Local code execution in Microsoft Office stems from a type confusion (CWE-843) flaw that allows an unauthenticated attacker with local access to run arbitrary code in the context of the Office process. The CVSS 8.4 score reflects high impact on confidentiality, integrity, and availability without requiring privileges or user interaction, though the attack vector is local. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV.
Out-of-bounds read in Microsoft Excel exposes limited memory contents to a local attacker when a user opens a specially crafted workbook. Affected product lines span Excel 2016, Office 2019, Office LTSC 2021/2024, Microsoft 365 Apps for Enterprise, Office Online Server, and multiple Mac variants. With a CVSS score of 3.3 (Low), no public exploit identified at time of analysis, and no CISA KEV listing, this is a low-urgency information disclosure issue - though a notable conflict exists between the description's claim of network-based disclosure and the CVSS AV:L (local) vector that warrants verification against the vendor advisory.
Local code execution in Microsoft Office is possible through a heap-based buffer overflow (CWE-122) that triggers when a user opens or previews a maliciously crafted document. The CVSS 7.8 score reflects local attack vector with required user interaction, and no public exploit identified at time of analysis. Successful exploitation yields full confidentiality, integrity, and availability impact in the context of the current user.
Local code execution in Microsoft Office Excel stems from an integer underflow that, when triggered by opening a crafted spreadsheet, allows an attacker to run arbitrary code in the context of the current user. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R) confirms exploitation requires the victim to open a malicious file, and there is no public exploit identified at time of analysis. With a base score of 7.8 and full confidentiality, integrity, and availability impact, successful exploitation effectively gives the attacker the victim's privileges on the host.
Information disclosure in Microsoft Office Excel allows remote unauthenticated attackers to read out-of-bounds memory over a network, potentially exposing sensitive data from process memory. The CVSS 8.2 score reflects high confidentiality impact with no authentication or user interaction required per the CVSS vector. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.
Out-of-bounds read in Microsoft Office triggers local information disclosure when a victim opens a crafted document, exposing adjacent memory contents with high confidentiality impact. The vulnerability spans a wide product surface including Office 2016 through LTSC 2024, Microsoft 365 Apps for Enterprise, multiple SharePoint Server versions, and Mac variants, as confirmed by EUVD-2026-35664. No public exploit or CISA KEV listing is identified at time of analysis; vendor-released patches are available across affected product lines.
Local code execution in Microsoft Office Excel stems from an integer underflow condition that can be triggered when a victim opens a malicious spreadsheet, leading to out-of-bounds memory access (CWE-125). The flaw requires user interaction but no prior authentication on the target, and no public exploit identified at time of analysis. With a CVSS of 7.8 (high) and the typical phishing-friendly delivery model of Office files, this fits the profile of a document-based client-side RCE primitive.
Local code execution in Microsoft Office is possible when a user opens a maliciously crafted document that triggers a heap-based buffer overflow (CWE-122), allowing the attacker to run arbitrary code in the context of the opened Office process. The CVSS 7.8 (AV:L/AC:L/PR:N/UI:R) reflects a user-interaction-driven local exploit rather than a remote network attack, and no public exploit identified at time of analysis. The flaw was reported through Microsoft Security Response Center (secure@microsoft.com) and is tracked in MSRC's update guide.
Local code execution in Microsoft Office Excel can be achieved by an unauthenticated attacker who tricks a user into opening a malicious spreadsheet that triggers an integer underflow condition. The flaw carries a CVSS 7.0 rating reflecting high attack complexity and required user interaction, and no public exploit identified at time of analysis. There is a notable mismatch between the description (integer underflow) and the assigned CWE-362 (race condition), which warrants verification with Microsoft's advisory.
Local code execution in Microsoft Office Excel arises from an integer underflow condition that corrupts memory when a malicious spreadsheet is opened. The flaw requires user interaction (UI:R) to trigger but needs no prior authentication, enabling attackers to run arbitrary code in the security context of the victim user. At the time of analysis, no public exploit identified at time of analysis and the issue is not listed in CISA KEV.