Description
Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Published: 2026-03-10
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an out‑of‑bounds read in Microsoft Office Excel that can be exploited by an unauthorized attacker to initiate local code execution, as stated in the official description. This allows the attacker to run arbitrary code on the victim's machine, potentially compromising confidentiality, integrity, and availability. The weakness corresponds to CWE‑125.

Affected Systems

Affects Microsoft 365 Apps for Enterprise, Microsoft Excel 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC for Mac 2024, and Microsoft Office Online Server. The specific affected versions are not listed, but all editions of the listed products are impacted.

Risk and Exploitability

The CVSS score of 8.4 indicates high severity, while the EPSS score of less than 1% suggests a relatively low current exploitation probability. The vulnerability is not in the KEV catalogue, indicating no confirmed widespread exploitation. The likely attack vector is through a malicious Excel file that forcefully reads beyond allocated memory, first inferred from the description of an unauthorized attacker executing code locally. Successful exploitation would require the victim to open or otherwise process the crafted file, after which arbitrary code can run under the user’s privileges.

Generated by OpenCVE AI on March 16, 2026 at 23:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft update that contains the fix for CVE‑2026‑26109
  • Verify that all affected Microsoft Office applications, including 365 Apps for Enterprise, Excel 2016, Office 2019, LTSC 2021, LTSC 2024, LTSC for Mac 2021, and LTSC for Mac 2024, are updated to the patched versions
  • If a patch is not yet available, disable macro execution in Excel and monitor for suspicious file activity

Generated by OpenCVE AI on March 16, 2026 at 23:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft excel
Microsoft office
Microsoft office Long Term Servicing Channel
CPEs cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*
cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_online_server:*:*:*:*:*:*:*:*
Vendors & Products Microsoft excel
Microsoft office
Microsoft office Long Term Servicing Channel

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft microsoft 365 Apps For Enterprise
Microsoft office For Mac
Microsoft office Online Server
Vendors & Products Microsoft microsoft 365 Apps For Enterprise
Microsoft office For Mac
Microsoft office Online Server

Tue, 10 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Title Microsoft Excel Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft excel 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Weaknesses CWE-125
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:excel_2016:*:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:ltsc:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft excel 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Excel Excel 2016 Microsoft 365 Apps For Enterprise Office Office 2019 Office 2021 Office 2024 Office For Mac Office Long Term Servicing Channel Office Macos 2021 Office Macos 2024 Office Online Server
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-03-27T22:33:15.782Z

Reserved: 2026-02-11T15:52:13.910Z

Link: CVE-2026-26109

cve-icon Vulnrichment

Updated: 2026-03-10T18:39:53.326Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:39.270

Modified: 2026-03-13T16:04:59.440

Link: CVE-2026-26109

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:34:04Z

Weaknesses