Description
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
Published: 2026-01-13
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Local code execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a use‑after‑free condition in Microsoft Office that allows an attacker to execute arbitrary code when a malicious Office document is opened. The flaw falls under CWE‑416 and grants the attacker local code execution privileges, potentially compromising the integrity of the affected system.

Affected Systems

Affected vendors include Microsoft with products such as Microsoft 365 Apps for Enterprise and Microsoft Office releases 2016, 2019, LTSC 2021, LTSC 2024, LTSC for Mac 2021, and LTSC for Mac 2024. All listed versions of these products are impacted; specific version patches are not delineated in the available data.

Risk and Exploitability

The CVSS score of 8.4 indicates a high severity vulnerability, yet the EPSS score is reported as less than 1%, implying a low current exploitation probability. The flaw is not referenced in the CISA Known Exploited Vulnerabilities catalog. Likely exploitation requires a local attacker delivering a crafted Office file, often via email or web download, to trick a user into opening the document. Successful exploitation would enable arbitrary code execution on the victim’s machine.

Generated by OpenCVE AI on April 16, 2026 at 18:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Microsoft security update for CVE-2026-20953 on all affected Office installations.
  • Configure Office to disable or restrict macros and enforce strict file‑validation settings to reduce the impact of malicious documents.
  • Ensure all Office applications and the underlying operating system remain current with Microsoft releases and monitor Microsoft advisories for additional guidance.

Generated by OpenCVE AI on April 16, 2026 at 18:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 15 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft office
Microsoft office Long Term Servicing Channel
CPEs cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*
cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:macos:*:*
Vendors & Products Microsoft office
Microsoft office Long Term Servicing Channel

Tue, 13 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Description Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
Title Microsoft Office Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Weaknesses CWE-416
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office_2016:*:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Office Office 2016 Office 2019 Office 2021 Office 2024 Office Long Term Servicing Channel Office Macos 2021 Office Macos 2024
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-01T13:48:57.106Z

Reserved: 2025-12-04T20:04:16.340Z

Link: CVE-2026-20953

cve-icon Vulnrichment

Updated: 2026-01-13T19:32:22.332Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T18:16:23.150

Modified: 2026-01-14T19:56:25.570

Link: CVE-2026-20953

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:15:43Z

Weaknesses