A heap‑based buffer overflow exists in Microsoft Office that permits an attacker to execute arbitrary code on a vulnerable workstation when the user opens a crafted Office document. The flaw allows the attacker to gain the privileges of the logged‑in user, potentially leading to full system compromise. The weakness is identified as CWE‑822, which indicates an unchecked buffer write with direct exploitation potential.

The vulnerability affects multiple Office products, including Microsoft 365 Apps for Enterprise, Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, Office 365 for Mac, Office LTSC for Mac 2021, and Office LTSC for Mac 2024. All current releases of these suites are impacted; no specific version exclusions are listed, implying that any installed edition remains vulnerable until updates are applied.

The CVSS score of 7.8 classifies the issue as high severity. No EPSS data is available, and the vulnerability is not listed in CISA’s KEV catalog, indicating that large‑scale exploitation has not been observed to date. However, the flaw requires the user to open a malicious document, an attack vector that is common in phishing and social engineering campaigns. Because the effect is local code execution, any user with administrative rights could elevate themselves to full control of the machine, making the impact substantial for end‑points.