CVE-2026-44820: Microsoft Office Excel Out-of-Bounds Read Remote Code Execution Vulnerability
CVE-2026-44820 is a memory safety vulnerability in Microsoft Office Excel that allows an attacker to read memory outside the intended boundaries and execute arbitrary code. The attack requires local access to the machine and user interaction—typically opening a malicious file—but does not require elevated permissions. Once triggered, the attacker gains the same privileges as the user running Excel, making this a serious threat to any organization relying on Office for routine work.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-125
- Affected products
- 14 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-09
NVD description (verbatim)
Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability stems from an out-of-bounds read condition (CWE-125) in Excel's memory handling routines. When processing certain file formats or structures, Excel fails to properly validate buffer boundaries before reading data. An attacker can craft a malicious Office document that, when opened by a user, causes Excel to read memory beyond allocated buffers. The attacker can leverage the exposed memory contents or the resulting state to achieve code execution in the context of the Excel process. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) reflects local attack surface, low complexity, required user interaction, and high impact across confidentiality, integrity, and availability.
Business impact
Exploitation could lead to theft of sensitive data—financial models, intellectual property, or customer information embedded in spreadsheets—without detection. An attacker could also modify spreadsheets to inject formulas, alter calculations, or corrupt data integrity, impacting decision-making and compliance reporting. In manufacturing, finance, or engineering environments where Excel is mission-critical, code execution could disrupt workflows or pivot to lateral movement within the network. Organizations relying on Office Online Server for shared document processing face similar risks at scale.
Affected systems
The vulnerability affects multiple Microsoft Office product lines: Excel standalone, Office 2019, Office 2021, Office 2024, Microsoft 365 Apps, Microsoft 365 subscriptions, and Office Online Server. Both desktop and cloud-integrated deployment models are in scope. Organizations using older Office versions alongside modern installations should prioritize identifying which systems run affected releases in their environment.
Exploitability
Exploitation requires local system access and user interaction—the user must open a specially crafted file. No network-based attack vector exists. However, the barrier to user interaction is low; social engineering can be effective, particularly if the malicious file arrives via email or file-sharing platforms and mimics a legitimate business document. Once a user opens the file, no additional steps or credentials are needed to trigger the vulnerability, making it a practical threat in real-world phishing campaigns.
Remediation
Microsoft has released security updates addressing this vulnerability. Organizations should apply patches to all affected Office installations as soon as feasible. Prioritize systems where users frequently open files from external or untrusted sources. For Office Online Server environments, ensure the server infrastructure is patched before users resumeactive document processing. Verify patch application across both direct installations and Microsoft 365 cloud subscriptions, which may update on different schedules.
Patch guidance
Check Microsoft's security bulletin for CVE-2026-44820 to identify the specific patch versions for each product variant (Excel, Office 2019/2021/2024, Microsoft 365 Apps, and Office Online Server). Updates may be delivered through Windows Update, Microsoft Update, or the Microsoft 365 admin center depending on deployment model. Test patches in a non-production environment first, particularly in organizations with complex Office macros or add-ins. Verify that post-patch document compatibility remains intact before rolling out broadly.
Detection guidance
Monitor for unexpected Excel process behavior: high memory consumption, unusual file access patterns, or creation of child processes from Excel. Endpoint Detection and Response (EDR) solutions should alert on code execution initiated from Excel. File-integrity monitoring can catch modifications to spreadsheets on disk. Email and web gateways should scrutinize .xlsx, .xls, and related Office formats for suspicious embedded structures or macro-like content. Consider disabling macros by default and requiring explicit user approval where business-critical workflows depend on them, as a compensating control pending patch deployment.
Why prioritize this
The CVSS 7.8 (HIGH) severity reflects realistic end-to-end compromise: an attacker needs only local access and user interaction to achieve full code execution with no permission escalation required. The wide product coverage (Excel, all recent Office releases, and cloud variants) means the vulnerability affects the vast majority of enterprise environments. Although not yet listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at publication, the low barrier to weaponization—a single file attachment—makes rapid adoption in the threat landscape likely. Early patching reduces exposure window before active exploitation emerges.
Risk score, explained
The vulnerability scores 7.8 (HIGH) under CVSS 3.1 because: (1) local attack vector limits initial compromise to users on the machine or those deceived into opening files, but does not prevent widespread distribution via email; (2) low attack complexity means no special tools or conditions are needed once the file is opened; (3) no privilege requirement—the attack succeeds at user level; (4) high confidentiality, integrity, and availability impact because code execution allows data theft, modification, and system disruption. The required user interaction prevents a maximum critical score, but does not materially reduce practical risk in environments where file-sharing is routine.
Frequently asked questions
Do I need to patch Microsoft 365 cloud-only users, or does Microsoft handle security automatically?
Microsoft 365 cloud services receive patches on Microsoft's schedule, but your organization should verify patch status in the Microsoft 365 admin center. Do not assume automatic patching for all components; some features or integrations may require manual updates or configuration changes. Confirm patch adoption across all licensed seats and endpoints connecting to Microsoft 365 services.
Can we work around this vulnerability without patching immediately?
Temporary mitigations include: restricting Excel file access through file-type filtering at email gateways, disabling macros in Office group policies, and educating users to treat unexpected file attachments with suspicion. However, these do not eliminate the underlying memory flaw. Plan patching as the primary remediation path; workarounds buy time but are not a long-term substitute.
How do we know if our Office Online Server is affected?
Check your Office Online Server version against Microsoft's security bulletin for CVE-2026-44820. Verify through the application's settings or PowerShell diagnostics (Get-SPFarmProductVersions). Apply the recommended patch to the server farm before users resume active document collaboration, as the server processes user-uploaded files and could be exploited without additional user action on the client side.
What is CWE-125 and why does it matter for this vulnerability?
CWE-125 (Out-of-bounds Read) describes the root cause: software reads memory outside its intended boundaries. In this case, Excel's buffer-handling logic fails to validate size checks, allowing attackers to access adjacent memory regions containing executable code or sensitive data. This category of flaw is particularly dangerous in C/C++ applications like Office, where memory safety is manual, making it a recurring vulnerability pattern to watch for in other Microsoft products.
This analysis is based on publicly available vulnerability data current as of the publication date. Organizations should verify all patch version numbers and remediation steps against official Microsoft security bulletins and their specific product configurations. SEC.co does not provide warranty for the accuracy of third-party vendor advisories or exploit information that may emerge post-publication. Always test patches in isolated environments before production deployment. For incident response or breach concerns, consult your security operations center or a qualified cybersecurity professional. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10889HIGHCritical ANGLE Sandbox Escape in Google Chrome – Patch to 149.0.7827.53
- CVE-2026-10927HIGHChrome Sandbox Escape via Dawn Out-of-Bounds Read
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-11015HIGHCritical Chrome WebGPU Out-of-Bounds Read Vulnerability
- CVE-2026-11077HIGHChrome Dawn Graphics Vulnerability – Sandbox Escape Risk
- CVE-2026-11091HIGHCritical Chrome Memory Corruption Vulnerability in Dawn Graphics Engine
- CVE-2026-11111HIGHChrome Out-of-Bounds Read in ANGLE Graphics Engine — Patch Guidance
- CVE-2026-11191HIGHOut-of-Bounds Memory Access in Chrome ANGLE Library