This vulnerability is a heap‑based buffer overflow in Microsoft Office that allows an unauthenticated or unauthorized attacker to execute arbitrary code locally on a compromised machine. The flaw is triggered when Office processes a malicious file, enabling the attacker to compromise the integrity of the host system and potentially gain full control. The weakness is identified as CWE‑122, which reflects a lack of bounds checking on dynamic memory allocations.

Affected applications include Microsoft 365 Apps for Enterprise, Office 2016, Office 2019, Office 2021, Office 2024, Office 365 for Mac, the Mac versions of Office 2021 and 2024, as well as SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. Users running any of these products on Windows or macOS are at risk, regardless of the installation channel, provided the applications have not been patched to address this flaw.

The CVSS score of 7.8 indicates a high severity level, and while the EPSS score is not available, the lack of a KEV listing suggests no publicly documented exploits yet. However, the absence of a publicly available exploit does not diminish the potential for attackers to develop custom payloads, especially given the local execution capability. The attack vector is inferred to be local, possibly via a malicious document, because the CVE description specifies local code execution; remote exploitation would require additional vulnerability steps not detailed in the provided information.