A memory management flaw in Microsoft Office Excel allows an attacker to trigger a use‑after‑free condition, enabling the execution of arbitrary code when a document is opened. The vulnerability falls under CWE‑416, meaning unauthorized local code execution can occur, potentially giving the attacker control over the victim’s machine, the ability to install malware, or to modify or delete data. The impact is limited to the context in which the file is opened, but because Excel documents are often shared, the risk of widespread compromise is significant.

Affected products include Microsoft 365 Apps for Enterprise, Microsoft Excel 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC for Mac 2024, and Office Online Server. All currently supported versions of these products are vulnerable, as the same code path is used across the different releases.

The CVSS score of 7.8 indicates a high severity, and while the EPSS score is not listed, the absence of a KEV mark does not reduce the confidence that this flaw can be abused. The likely attack vector is that an attacker crafts a malicious Office file that, when opened by a user on a vulnerable system, causes the use‑after‑free to hand control to the attacker's code. The exploit is local and requires user interaction, but given the ubiquity of file sharing, manual exploitation rates could be high once the flaw is discovered publicly.