An attacker can exploit a use‑after‑free bug in Microsoft Office (CWE-416) that allows the execution of arbitrary code on the device where a malicious file is opened. The flaw arises when Office incorrectly reuses a freed memory pointer, creating an opportunity for injected code to run with the privileges of the current user. This vulnerability directly threatens data confidentiality, integrity, and availability by enabling local privilege escalation or denial of service if a user opens a crafted Office document.

Microsoft 365 Apps for Enterprise, Microsoft Office 2016, 2019, Office LTSC 2021, Office LTSC 2024, Office LTSC for Mac 2021, Office LTSC for Mac 2024, and their corresponding long‑term servicing channel releases for Windows and macOS. These versions are impacted until the vendor releases remediation updates.

The CVSS score of 8.4 reflects a high‑severity local function impact. EPSS indicates a very low likelihood of exploitation at the time of assessment, and the vulnerability has not been listed in CISA’s Known Exploited Vulnerabilities catalog. Based on the description, the attack vector is inferred to be the opening of a malicious Office file by an authorized user; an attacker would need local access to the target machine or convince the user to execute the file. The risk is therefore significant for environments where untrusted documents are common but may be mitigated by leveraging corporate update and isolation policies.