This vulnerability is a use-after-free flaw in Microsoft Office Excel that allows an unauthorized attacker to execute arbitrary code locally. The flaw arises when memory is prematurely released, enabling malicious actors to inject and run code with the same privileges as the Excel process. The resulting impact is the potential for an attacker to gain control over the local system, compromising confidentiality, integrity, and availability of the affected device.

Affected products include Microsoft 365 Apps for Enterprise, Microsoft Excel 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC for Mac 2024, and Microsoft Office Online Server. Specific affected versions are not listed in the provided data; all enumerated product lines are potentially vulnerable until a patch is applied.

The CVSS score of 7.8 indicates a high-severity vulnerability, while the EPSS score of less than 1% suggests a low to moderate likelihood of exploitation in the current environment. The vulnerability is not listed in the CISA KEV catalog, which reduces its known exploitation prevalence. Exploitation typically requires the attacker to supply a specially crafted Office file (e.g., a workbook or add-in) that triggers the use-after-free condition, thereby executing code on the victim’s machine. The attack vector is likely local or requires user interaction to open the malicious file, rather than a purely remote exploitation path.