An integer underflow (wrap or wraparound) occurs in Microsoft Office Excel when processing certain inputs, allowing an attacker to craft malicious content that leads to code execution on the victim’s system. The vulnerability enables arbitrary code to run with the privileges of the sign‑on user, compromising confidentiality, integrity, and availability of the affected machine. The weakness is a classic bounds checking failure (CWE-843).

Microsoft products affected include Microsoft 365 Apps for Enterprise, Microsoft Excel 2016, Microsoft Office 2019, Microsoft Office 365 for Mac, Microsoft Office LTSC 2021 and LTSC 2024, Office LTSC for Mac 2021 and LTSC for Mac 2024, and Office Online Server. The vulnerability is present across these Office families; specific version details are not listed beyond the product family.

The CVSS score of 7.8 categorizes this as a high‑severity flaw. EPSS is not available, so the likelihood of exploitation in the wild is uncertain, but the flaw is not listed in the CISA KEV catalog. The likely attack vector is a local file exploitation, where a malicious workbook is opened by the victim. Successful exploitation would grant full control over the target system. No network privilege is required, making this a local privilege escalation attack if the user opens a crafted file.