Description
Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
Published: 2026-05-12
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap‑based buffer overflow in Microsoft Office permits an attacker to execute arbitrary code when the application loads a malicious file. The flaw can lead to full compromise of the user’s machine, allowing the attacker to run payloads, compromise data, or pivot to other systems. The weakness is identified as CWE‑122, which indicates that memory corruption can be leveraged without privileged input sanitization.

Affected Systems

The affected products are Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC for Mac 2024, and Microsoft Office for Android. Users running any of these versions should verify that they are on the lowest version number indicated in the list and seek an update.

Risk and Exploitability

With a CVSS score of 7.8 this vulnerability falls into the high‑severity range. No EPSS score is published, and the vulnerability is not yet in CISA’s KEV catalog, suggesting that exploitation is possible but not yet observed in the wild. The likely attack vector is via a user opening a specially crafted document or file that exploits the heap overflow. Successful exploitation requires local execution of the Office application and therefore typically depends on user interaction. The overall risk is high for systems that permit users to open untrusted Office files.

Generated by OpenCVE AI on May 12, 2026 at 20:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Office security update available through Windows Update, macOS Software Update, or the Microsoft Store for Android
  • Configure automatic update settings for all Office installations to ensure future patches are applied promptly
  • Use application layer restrictions such as disabling macros and enabling protected view to reduce the risk of malicious content being executed

Generated by OpenCVE AI on May 12, 2026 at 20:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft 365 Copilot
CPEs cpe:2.3:a:microsoft:office:*:*:*:*:*:android:*:* cpe:2.3:a:microsoft:365_copilot:*:*:*:*:*:android:*:*
Vendors & Products Microsoft 365 Copilot

Tue, 19 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft office Long Term Servicing Channel
CPEs cpe:2.3:a:microsoft:office:2021:*:*:*:ltsc:macos:*:* cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*
Vendors & Products Microsoft office Long Term Servicing Channel

Sat, 16 May 2026 02:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:office:*:*:*:*:*:android:*:*
cpe:2.3:a:microsoft:office:2021:*:*:*:ltsc:macos:*:*
cpe:2.3:a:microsoft:office:2024:*:*:*:ltsc:macos:*:*

Wed, 13 May 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft office For Android
Vendors & Products Microsoft office For Android

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
Title Microsoft Office Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft office
Microsoft office Macos 2021
Microsoft office Macos 2024
Weaknesses CWE-122
CPEs cpe:2.3:a:microsoft:office:*:*:android:*:*:*:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
Vendors & Products Microsoft
Microsoft office
Microsoft office Macos 2021
Microsoft office Macos 2024
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Copilot Office Office For Android Office Long Term Servicing Channel Office Macos 2021 Office Macos 2024
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T19:33:08.852Z

Reserved: 2026-04-30T14:51:12.703Z

Link: CVE-2026-42831

cve-icon Vulnrichment

Updated: 2026-05-13T09:59:57.006Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:17:25.673

Modified: 2026-05-22T14:49:53.277

Link: CVE-2026-42831

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:00:10Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow