Description
Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Published: 2026-06-09
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an integer underflow (wrap or wraparound) in Microsoft Excel that allows an unauthorized attacker to execute code locally. The flaw gives an attacker the ability to run arbitrary code, potentially compromising the confidentiality, integrity, and availability of the affected system. The impact is limited to the local user context, but the ability to run code can be leveraged to further propagate or damage the environment.

Affected Systems

Affected Microsoft products include Microsoft 365 Apps for Enterprise, Microsoft Excel 2016, Microsoft Office 2019, Microsoft Office 365 for Mac, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC for Mac 2024, and Office Online Server. No specific version ranges are listed, so all released iterations of these products are potentially vulnerable.

Risk and Exploitability

The CVSS score of 7 indicates a high severity, but the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves a malicious workbook or data file opened by a user; the attacker must deliver or entice the user to open the file, as execution occurs locally. No public exploit exploitation data is present, but the high CVSS suggests that once the flaw is discovered, local code execution could be a serious risk.

Generated by OpenCVE AI on June 9, 2026 at 19:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft Office security update that addresses CVE-2026-44818 via Microsoft Update or the Microsoft Security Response Center site.
  • Configure Office to run macros only from trusted sources by setting the Macro Security level to “Disable all macros with notification” until the update is applied.
  • Restrict the opening of untrusted documents by enabling Windows Defender or similar antivirus protection to scan Excel files before they are opened.

Generated by OpenCVE AI on June 9, 2026 at 19:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft excel
Microsoft microsoft 365
CPEs cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*
cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:microsoft_365:-:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_2019:-:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:office_2019:-:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_2021:-:*:*:*:ltsc:-:x64:*
cpe:2.3:a:microsoft:office_2021:-:*:*:*:ltsc:-:x86:*
cpe:2.3:a:microsoft:office_2021:-:*:*:*:ltsc:macos:-:*
cpe:2.3:a:microsoft:office_2024:-:*:*:*:ltsc:-:x64:*
cpe:2.3:a:microsoft:office_2024:-:*:*:*:ltsc:-:x86:*
cpe:2.3:a:microsoft:office_2024:-:*:*:*:ltsc:macos:-:*
cpe:2.3:a:microsoft:office_online_server:-:*:*:*:*:*:*:*
Vendors & Products Microsoft excel
Microsoft microsoft 365

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft office Online Server
Vendors & Products Microsoft office Online Server

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Title Microsoft Excel Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft excel 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office 365
Microsoft office Macos 2021
Microsoft office Macos 2024
Weaknesses CWE-362
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:excel_2016:*:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:ltsc:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_365:*:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft excel 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office 365
Microsoft office Macos 2021
Microsoft office Macos 2024
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Excel Excel 2016 Microsoft 365 Office 2019 Office 2021 Office 2024 Office 365 Office Macos 2021 Office Macos 2024 Office Online Server
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-26T19:40:44.589Z

Reserved: 2026-05-07T20:07:18.272Z

Link: CVE-2026-44818

cve-icon Vulnrichment

Updated: 2026-06-10T10:30:46.602Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T17:17:18.040

Modified: 2026-06-11T18:38:18.510

Link: CVE-2026-44818

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T00:00:10Z

Weaknesses
  • CWE-362

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')