A flaw in Microsoft Excel causes an integer underflow when processing worksheet data, creating an overflow condition that allows an attacker to execute arbitrary code on the host machine. This vulnerability is exploitable through a crafted Excel workbook that a user opens or imports. The resulting code runs with the privileges of the user who opens the file, granting the attacker the ability to manipulate files, install malware, or otherwise disrupt system operations. The weakness is classified as a heap‑based buffer overflow (CWE‑122) and an integer underflow (CWE‑191).

Microsoft identifies affected products in its Office suite, including Microsoft 365 Apps for Enterprise, Excel 2016, Office 2019, Office LTSC 2021 and LTSC 2024 for Windows and macOS, and the Office Online Server. The vulnerability applies to all supported 32‑bit and 64‑bit builds of these products, as indicated by the CPE list. No specific version numbers are listed, so all active releases of the mentioned Office versions are potentially impacted.

The CVSS score of 7.8 places this issue in the High severity range, though the EPSS score is below 1%, indicating a low predicted exploitation frequency. The vulnerability is not listed in CISA’s KEV catalog, suggesting no known large‑scale exploitation. If an attacker can deliver a malicious workbook to a user—an indication that the attack vector is likely through social engineering or compromised email attachments—the local code execution can proceed with the victim’s user rights. The overall risk is moderate to high for organizations that allow users to open untrusted Excel files.