Description
Integer overflow or wraparound in Microsoft Office allows an authorized attacker to elevate privileges locally.
Published: 2026-03-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

An integer overflow or wraparound occurs in Microsoft Office for Android that allows an attacker who already has authorized local access to elevate their privileges on the device. The flaw involves improper handling of numeric values (CWE-190) and can result in higher privileges, potentially compromising confidentiality, integrity, or availability of data on the device. The issue is limited to local execution; no remote exploitation is described.

Affected Systems

Vendors and products affected are Microsoft and Microsoft Office for Android. No specific version identifiers are provided in the CNA data or the description, so the precise affected releases are unknown; all available Office for Android installations may be impacted. The official Microsoft Security Response Center reference lists this vulnerability but does not enumerate affected versions.

Risk and Exploitability

The CVSS score of 7.8 categorises the vulnerability as medium‑to‑high severity. The EPSS score of less than 1% indicates a low probability of current exploitation in the wild, and it is not listed in the CISA KEV catalog, suggesting no widespread exploitation. The only attack vector that can trigger the integer overflow is a local, authorised user who can run the Office application. Given these factors, the risk is significant for organisations that allow local use of Office for Android, but the likelihood of exploitation remains low at present.

Generated by OpenCVE AI on March 16, 2026 at 23:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Microsoft Office for Android to the latest version available from the Google Play Store or Microsoft’s official update channel.
  • If an update is not immediately available, restrict device access to exclude unauthorised local users from launching the Office application.
  • Apply least‑privilege settings on the device to minimise the potential impact of a privilege escalation should the flaw be triggered.
  • Verify that the installed Office version includes the patch by checking the version number against the Microsoft Security Update guide referenced above.

Generated by OpenCVE AI on March 16, 2026 at 23:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:office:*:*:*:*:*:android:*:*

Tue, 10 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Integer overflow or wraparound in Microsoft Office allows an authorized attacker to elevate privileges locally.
Title Microsoft Office Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft office
Weaknesses CWE-190
CWE-416
CPEs cpe:2.3:a:microsoft:office:*:*:android:*:*:*:*:*
Vendors & Products Microsoft
Microsoft office
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Office
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-03-27T22:33:00.704Z

Reserved: 2026-02-11T16:24:51.133Z

Link: CVE-2026-26134

cve-icon Vulnrichment

Updated: 2026-03-10T18:39:44.170Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:42.803

Modified: 2026-03-13T17:06:18.123

Link: CVE-2026-26134

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:34:14Z

Weaknesses