A use‑after‑free flaw in Microsoft Office objects allows an attacker to execute arbitrary code on a device that opens a specially crafted file. The vulnerability is a memory safety error (CWE‑416). When the bug is triggered the attacker’s code runs with the privileges of the user who opens the corrupted document, potentially compromising confidential data, altering system state, or installing malware. The impact is therefore loss of confidentiality, integrity, and availability for the affected workstation.

The flaw affects the Microsoft 365 Apps for Enterprise suite and all supported Microsoft Office desktop and mobile products, including Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, the corresponding LTSC for Mac 2021 and 2024 releases, and the Office for Android application. No specific version numbers are listed in the CNA data, so any installation of these product families that has not been updated with the latest security patch is potentially vulnerable.

The CVSS score of 8.4 places this vulnerability in the high‑severity range, and while the EPSS score is less than 1% the existence of a public reference indicates that exploitation techniques are known. The issue is not listed in the CISA KEV catalog, suggesting that widespread exploitation has not yet been observed, but the bug can be triggered by a malicious document opened locally, making it trivial for an attacker to target unpatched users. The risk to an organization scales with the number of unsandboxed devices that may open unsolicited attachments, and the lack of an automatic update may prolong exposure.