The vulnerability is an out‑of‑bounds read in Microsoft Office Excel that permits an unauthorized local attacker to read data held in memory for a given application instance. This flaw is identified as CWE‑125 and can expose sensitive information that the user has opened or is currently working on, potentially including personal data or corporate secrets. The consequence is a loss of confidentiality for any information that resides in memory when the vulnerable application is running.

The affected products are Microsoft 365 Apps for Enterprise, Microsoft Excel 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC for Mac 2024, and Office Online Server. Version information was not specified in the data, so any installed build of these products may be vulnerable unless a fix has already been applied.

The CVSS score of 7.8 indicates a high severity impact for a local attacker, but the exploit is limited to a local context and does not provide remote code execution. The EPSS score is not available, so exact exploit likelihood cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. An attacker would need local access to the user’s account and the ability to launch the affected Office application to leverage the out‑of‑bounds read and recover memory contents.