Description
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Published: 2026-04-14
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Apply patch
AI Analysis

Impact

A use‑after‑free bug in Microsoft Office Excel enables an attacker to execute arbitrary code. The flaw allows the execution of code that can compromise the confidentiality, integrity, and availability of the affected system, essentially granting full control to the attacker. The weakness falls under CWE‑416 (Use After Free).

Affected Systems

Microsoft 365 Apps for Enterprise, Microsoft Excel 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC for Mac 2024, and Office Online Server are all impacted. Patching is required for all versions listed.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity. Although an EPSS score is not available, the flaw’s high impact suggests that exploitation could occur if a malicious file is opened by a user. The vulnerability is not currently listed in CISA’s KEV catalog, but the lack of a public exploit does not reduce the risk, as the attack can be achieved through a crafted Office document. A Microsoft patch is available; applying it removes the use‑after‑free condition and the ability for code execution.

Generated by OpenCVE AI on April 14, 2026 at 20:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft Office updates that contain the fix for CVE‑2026‑32189.
  • Confirm the installed update version matches Microsoft’s guidance for the affected products.
  • If immediate patching is not possible, restrict users from opening files from untrusted sources and disable macros for Office documents.
  • Monitor logs for signs of exploitation attempts, such as unexpected process creation from Office components.

Generated by OpenCVE AI on April 14, 2026 at 20:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft microsoft 365 Apps For Enterprise
Microsoft office Online Server
Vendors & Products Microsoft microsoft 365 Apps For Enterprise
Microsoft office Online Server

Tue, 14 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Title Microsoft Excel Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft excel 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Weaknesses CWE-416
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:excel_2016:*:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:ltsc:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft excel 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Excel 2016 Microsoft 365 Apps For Enterprise Office 2019 Office 2021 Office 2024 Office Macos 2021 Office Macos 2024 Office Online Server
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-17T16:12:30.569Z

Reserved: 2026-03-11T00:26:53.426Z

Link: CVE-2026-32189

cve-icon Vulnrichment

Updated: 2026-04-14T19:01:46.309Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T18:17:24.950

Modified: 2026-04-17T15:10:35.607

Link: CVE-2026-32189

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:02:41Z

Weaknesses