Microsoft Office components have an out-of-bounds read that permits local attackers to read memory or files beyond intended bounds, enabling disclosure of sensitive information. The weakness is identified as CWE-125. Because the read occurs during normal operation of Office, an adversary with local execution privileges can potentially retrieve confidential data stored in documents or the system. The vulnerability does not provide direct control over the system or network but threatens confidentiality by exposing private content.

Affected vendors and products include Microsoft 365 Apps for Enterprise, Office 2016, Office 2019, Office 365 for Mac, Office LTSC 2021, Office LTSC 2024, Office LTSC for Mac 2021, Office LTSC for Mac 2024, SharePoint Enterprise Server 2016, Sharepoint Server 2019, and SharePoint Server Subscription Edition. Specific version ranges are not enumerated in the advisory, so all released editions of these products should be considered potentially affected until a patch is applied. Microsoft's update guidance provides the precise revision numbers.

With a CVSS score of 3.3 the severity is low, and the EPSS score is not reported, indicating that there is no recent evidence of exploitation. The vulnerability is not currently listed in CISA’s KEV catalog. Attacks would require an attacker to have local access to the affected machine, typically through a user account with elevated privileges. While the impact is limited to confidentiality and only affects local systems, organizations should still patch promptly to eliminate the possibility of local disclosure.