Description
Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to elevate privileges locally.
Published: 2026-02-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

A heap-based buffer overflow in Microsoft Office Excel enables an unauthorized local attacker to increase their process privileges, potentially allowing them to execute arbitrary code with elevated rights. The vulnerability is rooted in improper bounds checking of memory writes, as indicated by the associated CWE-122 and CWE-787 weaknesses.

Affected Systems

The flaw affects various Microsoft Office products, including Microsoft 365 Apps for Enterprise, Microsoft Excel 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, and Office Online Server. Specific version details are not enumerated in the CVE record, so all releases of these products should be considered potentially vulnerable until a vendor advisory specifies otherwise.

Risk and Exploitability

With a CVSS score of 7.8, the vulnerability presents a considerable severity, yet its EPSS score of less than 1% indicates that exploitation opportunities are currently rare. The flaw is not listed in the CISA KEV catalog. The attack vector is local, requiring the attacker to obtain a crafted or malicious Excel workbook and have it opened on a target system. Successful exploitation would allow the attacker to elevate privileges to admin or system level on the affected machine.

Generated by OpenCVE AI on April 15, 2026 at 18:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the Microsoft Office security update that addresses CVE-2026-21259 as published in the Microsoft security advisories.
  • Ensure all affected Office editions (Microsoft 365 Apps for Enterprise, Excel 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, Office Online Server) are updated to the latest release or cumulative update that includes the fix.
  • Restrict users from opening untrusted or macro‑enabled workbooks until the patch is applied; consider enforcing group policy to block macro execution for documents received via email.

Generated by OpenCVE AI on April 15, 2026 at 18:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft excel
Microsoft office
Microsoft office Long Term Servicing Channel
Microsoft office Online Server
Weaknesses CWE-787
CPEs cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*
cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_online_server:*:*:*:*:*:*:*:*
Vendors & Products Microsoft excel
Microsoft office
Microsoft office Long Term Servicing Channel
Microsoft office Online Server

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to elevate privileges locally.
Title Microsoft Excel Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft excel 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Weaknesses CWE-122
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:excel_2016:*:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:ltsc:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft excel 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Excel Excel 2016 Office Office 2019 Office 2021 Office 2024 Office Long Term Servicing Channel Office Online Server
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-10T13:21:03.674Z

Reserved: 2025-12-11T21:02:05.737Z

Link: CVE-2026-21259

cve-icon Vulnrichment

Updated: 2026-02-25T15:43:42.980Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:27.790

Modified: 2026-02-11T19:12:00.613

Link: CVE-2026-21259

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:45:11Z

Weaknesses