Description
Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Published: 2026-01-13
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The flaw is an untrusted pointer dereference in Microsoft Office Excel that allows an attacker to execute arbitrary code on the victim’s machine when an Excel file containing malicious content is opened, potentially compromising confidentiality, integrity, and availability.

Affected Systems

Microsoft 365 Apps for Enterprise, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021, and Microsoft Office LTSC for Mac 2024 are all affected; all current releases of these products lack the fix for CVE-2026-20956.

Risk and Exploitability

With a CVSS score of 7.8 and an EPSS below 1%, the vulnerability presents a moderate to high severity but a low probability of exploitation; it is not listed in the CISA KEV catalog. Attackers would require a malicious workbook or attachment that a user opens, thus the attack vector is local, through user interaction, and the vulnerability is mitigated through patching. The impact of successful exploitation would be execution of code with the privileges of the logged‑in user, enabling full system compromise.

Generated by OpenCVE AI on April 16, 2026 at 08:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft Office security update that fixes CVE-2026-20956.
  • Ensure all affected Office installations are updated to the latest available security update rollup.
  • Configure Excel to disable macros and add‑ins, or run the application in Safe Mode, until the patch is applied.

Generated by OpenCVE AI on April 16, 2026 at 08:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft office Long Term Servicing Channel
CPEs cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:macos:*:*
Vendors & Products Microsoft office Long Term Servicing Channel

Tue, 13 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Description Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Title Microsoft Excel Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Weaknesses CWE-822
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Office 2021 Office 2024 Office Long Term Servicing Channel Office Macos 2021 Office Macos 2024
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-01T13:48:58.355Z

Reserved: 2025-12-04T20:04:16.340Z

Link: CVE-2026-20956

cve-icon Vulnrichment

Updated: 2026-01-13T20:23:20.616Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T18:16:23.467

Modified: 2026-01-14T19:48:42.527

Link: CVE-2026-20956

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T08:15:29Z

Weaknesses