Description
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Published: 2026-04-14
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Code Execution
Action: Immediate Patch
AI Analysis

Impact

An use‑after‑free flaw in Microsoft Office Excel permits an attacker to execute arbitrary code locally. The vulnerability is a classic memory management error (CWE‑416) that can be triggered by a specially crafted Excel workbook, giving the attacker control over the target system’s code execution path and potentially compromising confidentiality, integrity, or availability of the host.

Affected Systems

Affected products include Microsoft 365 Apps for Enterprise, Microsoft Excel 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC for Mac 2024, and Office Online Server. Specific version information is not provided in the available data, so all current releases of these products are considered susceptible.

Risk and Exploitability

The CVSS base score of 7.8 indicates high severity, and the vulnerability is not listed in the CISA KEV catalog. Exploitation is likely limited to a local context, requiring that an attacker have access to a user’s machine or the ability to deliver a malicious workbook. No EPSS data is available, but the use‑after‑free nature and lack of mitigations suggest that once the flaw is triggered, code execution is practically guaranteed on the affected system.

Generated by OpenCVE AI on April 14, 2026 at 19:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft Office and Excel security update for CVE-2026-32199 by installing the available patch through Microsoft Update or by downloading the standalone installer from the MSRC update guide.
  • If an immediate patch is not possible, isolate the affected workstation by disconnecting it from the corporate network until the update can be applied, or use a virtual machine or sandboxed environment to open any workbook from untrusted sources.
  • Verify the patch installation by checking the Office version number or by querying the update history in the Office application.

Generated by OpenCVE AI on April 14, 2026 at 19:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft excel
Microsoft office
Microsoft office Long Term Servicing Channel
CPEs cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*
cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_online_server:*:*:*:*:*:*:*:*
Vendors & Products Microsoft excel
Microsoft office
Microsoft office Long Term Servicing Channel

Wed, 15 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft office Online Server
Vendors & Products Microsoft office Online Server

Wed, 15 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Title Microsoft Excel Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft excel 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Weaknesses CWE-416
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:excel_2016:*:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:ltsc:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft excel 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Excel Excel 2016 Office Office 2019 Office 2021 Office 2024 Office Long Term Servicing Channel Office Macos 2021 Office Macos 2024 Office Online Server
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-30T14:42:28.986Z

Reserved: 2026-03-11T00:26:53.428Z

Link: CVE-2026-32199

cve-icon Vulnrichment

Updated: 2026-04-15T09:07:53.798Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T18:17:26.710

Modified: 2026-04-28T17:28:32.140

Link: CVE-2026-32199

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:45:03Z

Weaknesses