Description
Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Published: 2026-01-13
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Code Execution
Action: Apply Patch
AI Analysis

Impact

Untrusted pointer dereference in Microsoft Office Excel allows an attacker who can supply a crafted spreadsheet to execute arbitrary code on the victim’s machine. The weakness is identified as CWE-822 and carries a CVSS score of 7.8, indicating a high risk to confidentiality and integrity when an authorized user opens a malicious file.

Affected Systems

Affected suppliers include Microsoft 365 Apps for Enterprise, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC for Mac 2024, and Office Online Server. Version details are not listed, so the vulnerability applies to the current releases of these products.

Risk and Exploitability

The vulnerability is local in nature; an attacker must provide a malicious Excel file that a user opens or processes. Because it requires local user interaction, the EPSS score of less than 1% reflects a low probability of currently observed exploitation, and the vulnerability is not present in the CISA KEV catalog. Nevertheless, the high CVSS score means that once a user opens a weaponized file, the attacker could achieve full code execution on that system. The likelihood of exploitation is dominated by user behavior and trust of file sources.

Generated by OpenCVE AI on April 16, 2026 at 08:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Microsoft Office security updates via Windows Update or the Office update channel.
  • Ensure that all Office applications for the affected products are running the most recent patch level.
  • If the patch is not yet available, restrict users from opening unknown or untrusted Excel files, use macro security settings set to disable or display prompts, and consider applying software restriction policies or endpoint protection to block execution of malicious content.

Generated by OpenCVE AI on April 16, 2026 at 08:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft office
Microsoft office Long Term Servicing Channel
Microsoft office Online Server
CPEs cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_online_server:*:*:*:*:*:*:*:*
Vendors & Products Microsoft office
Microsoft office Long Term Servicing Channel
Microsoft office Online Server

Wed, 14 Jan 2026 05:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Description Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Title Microsoft Excel Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Weaknesses CWE-822
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:ltsc:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Office Office 2019 Office 2021 Office 2024 Office Long Term Servicing Channel Office Macos 2021 Office Macos 2024 Office Online Server
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-01T13:48:57.702Z

Reserved: 2025-12-04T20:04:16.340Z

Link: CVE-2026-20955

cve-icon Vulnrichment

Updated: 2026-01-13T20:23:44.121Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T18:16:23.307

Modified: 2026-01-14T19:49:54.657

Link: CVE-2026-20955

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T08:15:29Z

Weaknesses