The vulnerability is a heap‑based buffer overflow that allows an unauthorized attacker to execute arbitrary code within a local user context. Key weaknesses are identified as CWE‑122 (Heap‑based Buffer Overflow) and CWE‑787 (Out‑of‑Bounds Write). If exploited, the attacker could compromise the confidentiality and integrity of the system, elevate privileges, and potentially disrupt availability by inserting malicious payloads. The description specifically states that code execution is local, implying a requirement that the attacker’s malicious content reaches the victim’s machine.

Affected vendors are Microsoft, with products including Microsoft 365 Apps for Enterprise, Microsoft Excel 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC for Mac 2024, and Microsoft Office Online Server. Specific version information from the CNA is not provided, therefore the exact affected releases cannot be listed.

The CVSS score for this vulnerability is 7.8, indicating a high severity. The EPSS score is less than 1%, showing that the likelihood of exploitation is currently low, and it is not recorded in the CISA KEV catalog. The attack vector is inferred from the nature of the vulnerability – a maliciously crafted Excel file would need to be opened by a user, making it a user interaction or social‑engineering vector. Although local execution is noted, a remote attacker could potentially trigger exploitation by directing a target to open a compromised file provided via email or web. The overall risk is high if the vulnerability remains unpatched.