An out‑of‑bounds read in Microsoft Office Excel enables an unauthorized attacker to read memory contents and transmit them over a network, resulting in leakage of potentially sensitive data from the host. This weakness can be leveraged to compromise confidentiality of information stored on the system, in transit, or both, depending on the attacker's access level. The reported abuse involved an out‑of‑bounds read that was not limited to local execution; the data could be sent to an external system, implying a remote disclosure capability.

The vulnerability affects Microsoft 365 Apps for Enterprise, Microsoft Excel 2016, Microsoft Office 2019, Microsoft Office 365 for Mac, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC for Mac 2024, and Office Online Server. Specific version ranges are not supplied, suggesting that all supported releases listed may contain the flaw.

With a CVSS score of 8.2, the flaw is classified as high severity. EPSS data is not available, so the current likelihood of exploitation cannot be quantified, but the absence of a KEV listing indicates no widespread exploitation has been confirmed yet. The likely attack vector is network‑based, as the vulnerability permits information disclosure over a network; however, the exact method of exploitation is not explicitly defined in the description, so this inference is based on the stated network disclosure capability.