A pointer dereference bug in Microsoft Office Excel can be triggered when an attacker supplies untrusted data to the application, allowing the attacker to execute arbitrary code on the local machine. The vulnerability arises from improper handling of memory pointers, a type of buffer overrun and dangling pointer error, which the application does not sufficiently validate before use. Successful exploitation results in full code‑execution privileges within the context of the user who opens a malicious workbook, compromising confidentiality, integrity, and availability of that system.

The flaw affects several Microsoft products, notably Microsoft 365 Apps for Enterprise, Microsoft Excel 2016, Microsoft Office 2019, and all long‑term servicing channel builds such as Office LTSC 2021 and LTSC 2024 for both Windows and Mac platforms. It also includes Office Online Server deployments. Users of these productivity suites should check whether their installations contain the vendor‑issued security update or are still running a vulnerable version.

The CVSS score of 7.8 indicates a high‑severity vulnerability that could allow local code execution, but the EPSS score of <1% shows that the exploitation probability is very low at present. The vulnerability is not listed in the CISA KEV catalog, implying no documented widespread exploitation. Based on the description, the attack vector is likely local; a malicious user or attacker who can get a target to open a specially crafted Excel file would be sufficient to trigger the flaw. Consequently, the risk is primarily to users who process untrusted documents, and the threat escalates if the attacker can entice a system administrator or power user to open the file.