Based on the description, it is inferred that a heap‑based buffer overflow in Microsoft Office can be triggered by an attacker supplying a specially crafted document or file, allowing arbitrary code execution on the affected machine with the privileges of the current user. The flaw stems from improper bounds checking in the heap allocator, which is reflected in CWE‑121 and CWE‑191 identifiers. Locally executed code could lead to data compromise, ransomware deployment, or further lateral movement within an internal network.

All listed Microsoft Office products are affected, including Microsoft 365 Apps for Enterprise, Microsoft Office 2016, Microsoft Office 2019, Microsoft Office 365 for Mac, Microsoft Office LTSC 2021 and LTSC 2024 (both Windows and Mac), as well as Microsoft Office for Android. Specific version information is not provided, so any installation of these products should be considered vulnerable until a patch is applied.

The CVSS score of 8.4 classifies this flaw as high severity, and the EPSS score is currently unavailable, indicating that official exploitation data is not yet reported. Because the vulnerability requires a local attacker or a user to open a malicious document, it is not a remote exploitation vector. The likely attack vector is a local user opening a malicious document. It is not listed in the CISA KEV catalog, suggesting that widespread exploitation may not yet be observed. Nonetheless, once a multi‑step supply chain or social engineering path delivers a malicious file to an end user, code execution could occur without additional privileges.