Description
Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Published: 2026-03-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an untrusted pointer dereference in Microsoft Office Excel that enables an unauthorized attacker to execute arbitrary code locally. This results in a Local Code Execution flaw, potentially compromising the confidentiality, integrity, and availability of the affected system. The weakness aligns with CWE‑822.

Affected Systems

Affected systems include Microsoft 365 Apps for Enterprise, Microsoft Excel 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC for Mac 2024, and Office Online Server. Specific version details are not provided in the supplied data.

Risk and Exploitability

The CVSS score of 7.8 marks the issue as high severity, while an EPSS score of less than 1% indicates a low likelihood of exploitation. It is not listed in the CISA KEV catalog. The attack vector is inferred to be local, requiring an attacker with some level of interaction or access to execute this exploit. The absence of a remote trigger suggests that privileged or local access is necessary to exploit the untrusted pointer dereference.

Generated by OpenCVE AI on March 16, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check Microsoft’s security update guide for a patch for CVE‑2026‑26112
  • Apply the official Microsoft patch as soon as it is available
  • Verify that the update has installed correctly by checking the version or security advisory
  • If an immediate patch is not available, consider disabling or restricting macros and other potentially vulnerable Office features while continuing to monitor for anomalous activity

Generated by OpenCVE AI on March 16, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft excel
Microsoft office
Microsoft office Long Term Servicing Channel
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*
cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_online_server:*:*:*:*:*:*:*:*
Vendors & Products Microsoft excel
Microsoft office
Microsoft office Long Term Servicing Channel

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft office Online Server
Vendors & Products Microsoft office Online Server

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Title Microsoft Excel Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft excel 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Weaknesses CWE-822
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:excel_2016:*:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:ltsc:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft excel 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Excel Excel 2016 Office Office 2019 Office 2021 Office 2024 Office Long Term Servicing Channel Office Macos 2021 Office Macos 2024 Office Online Server
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-03-27T22:32:53.257Z

Reserved: 2026-02-11T15:52:13.910Z

Link: CVE-2026-26112

cve-icon Vulnrichment

Updated: 2026-03-10T18:02:24.094Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:39.947

Modified: 2026-03-13T16:06:36.180

Link: CVE-2026-26112

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:34:24Z

Weaknesses