This vulnerability is a heap‑based buffer overflow in Microsoft Office that allows an attacker to execute arbitrary code locally on the affected system. The flaw involves a use‑after‑free condition, identified as CWE‑416, which gives the attacker the privileges of the local user. When exploited, the attacker can run malicious code with the same rights as the user who opens a document, potentially enabling full system compromise.

The issue impacts a wide array of Microsoft Office products. It applies to Microsoft 365 Apps for Enterprise, Office 2016, Office 2019, Office 2019, Office LTSC 2021, Office LTSC 2024, the macOS versions of Office 365 and Office LTSC 2021/2024, as well as the Office for Android release. Specific affected versions are not enumerated in the advisory, but the advisory lists the product families that may be vulnerable.

The CVSS score of 8.4 marks the vulnerability as high severity. EPSS data is not available, so the exact likelihood of exploitation cannot be quantified, but the lack of a publicly disclosed exploit and absence from the CISA KEV catalog suggest a low to moderate exploitation probability. Because the attack requires an unauthorized user who locally accesses a document processed by Office, the attack vector is inferred to be local. Successful exploitation would grant the attacker code execution capabilities with the user’s privileges, underscoring the need for immediate remediation.