This vulnerability is an integer underflow (wrap or wraparound) in Microsoft Excel that allows an unauthorized attacker to execute code locally. The flaw gives an attacker the ability to run arbitrary code, potentially compromising the confidentiality, integrity, and availability of the affected system. The impact is limited to the local user context, but the ability to run code can be leveraged to further propagate or damage the environment.

Affected Microsoft products include Microsoft 365 Apps for Enterprise, Microsoft Excel 2016, Microsoft Office 2019, Microsoft Office 365 for Mac, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC for Mac 2024, and Office Online Server. No specific version ranges are listed, so all released iterations of these products are potentially vulnerable.

The CVSS score of 7 indicates a high severity, but the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves a malicious workbook or data file opened by a user; the attacker must deliver or entice the user to open the file, as execution occurs locally. No public exploit exploitation data is present, but the high CVSS suggests that once the flaw is discovered, local code execution could be a serious risk.