CVE-2026-44822: Microsoft Office Excel Out-of-Bounds Read Information Disclosure
Microsoft Office Excel contains an out-of-bounds read vulnerability that allows a remote attacker to extract sensitive information from a user's system without authentication or user interaction. The flaw affects multiple Microsoft Office products across different versions and deployment models. An attacker could exploit this by crafting a malicious Excel file or triggering the vulnerability over a network, potentially exposing confidential data.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- Weaknesses (CWE)
- CWE-125
- Affected products
- 14 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-19
NVD description (verbatim)
Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-44822 is a CWE-125 (out-of-bounds read) vulnerability in Microsoft Office Excel. The flaw allows an unauthenticated remote attacker to read memory beyond the intended boundaries of a data structure, enabling information disclosure. The CVSS 3.1 score of 8.2 (HIGH) reflects network exploitability without authentication or user interaction required, high confidentiality impact, and limited integrity impact. No availability impact is present. The attack vector is network-based with low attack complexity.
Business impact
This vulnerability poses a material information security risk. Attackers can extract proprietary data, credentials, or other sensitive information from systems processing malicious or compromised Excel documents. Organizations relying on Excel for financial modeling, business intelligence, or document handling face potential data exfiltration. The lack of required user interaction increases the risk in environments where files are processed via automated workflows, batch jobs, or email gateways. Reputational harm, regulatory exposure, and competitive disadvantage could result from unauthorized data disclosure.
Affected systems
The vulnerability affects a broad range of Microsoft Office products: Microsoft 365 Apps, Microsoft Excel (standalone), Microsoft 365 subscriptions, Office 2019, Office 2021, Office 2024, and Office Online Server. Both desktop and cloud-based deployment models are impacted. Organizations running any of these product variants should assume exposure unless they have verified patching status.
Exploitability
The vulnerability is readily exploitable. It requires no authentication, no user privileges, and no user interaction—an attacker can trigger the flaw remotely by sending a specially crafted Excel file. The low attack complexity means exploitation does not depend on timing, race conditions, or system-specific configurations. This combination makes the vulnerability attractive to threat actors seeking to harvest information at scale. The fact that it is not yet listed in CISA's Known Exploited Vulnerabilities (KEV) catalog does not indicate low risk; KEV status lags real-world exploitation.
Remediation
Organizations must apply Microsoft security updates to all affected Office products and versions. Verify patch status across Microsoft 365 Apps, Excel standalone installations, Office 2019, 2021, and 2024 deployments, and Office Online Server instances. Prioritize systems that regularly handle external or untrusted Excel files. Until patching is complete, consider restricting Excel file processing in automated workflows or sandboxing external files.
Patch guidance
Monitor Microsoft's Security Update Guide and official advisories for the specific patch versions addressing CVE-2026-44822. Apply updates to all affected Office product variants listed above. Test patches in a non-production environment first to ensure compatibility with business-critical workflows. For Office Online Server deployments, verify patch availability and deployment procedures specific to your infrastructure. Organizations using Microsoft 365 Apps may receive updates automatically; verify deployment settings and confirm patch installation.
Detection guidance
Monitor for unusual file access patterns or memory reads that could indicate exploitation attempts. Endpoint detection and response (EDR) solutions should be tuned to alert on suspicious Excel process behavior, especially if triggered by network-delivered files or email attachments. Log file processing events and correlate them with system memory dumps or process telemetry. Network-based detection should focus on identifying malicious Excel file transmission and delivery. Consider deploying quarantine rules for Excel files from untrusted sources until patching is complete.
Why prioritize this
This vulnerability merits immediate attention due to its combination of high CVSS score (8.2), broad product scope, network exploitability without authentication, and absence of user interaction requirements. The information disclosure impact is substantial, and the attack surface is large in organizations where Excel files are ingested from external sources or processed programmatically. The extensive affected product list amplifies remediation scope and urgency.
Risk score, explained
The CVSS 3.1 score of 8.2 reflects a HIGH-severity vulnerability. The network attack vector (AV:N) and lack of required authentication (PR:N, UI:N) elevate exploitability. High confidentiality impact (C:H) from arbitrary memory disclosure is balanced by limited integrity impact (I:L) and no availability impact (A:N). Low attack complexity (AC:L) indicates the flaw is straightforward to exploit without special conditions. This profile indicates a vulnerability worthy of rapid patching and elevated monitoring.
Frequently asked questions
Can this vulnerability be exploited if a user simply opens a malicious Excel file?
Yes. The vulnerability does not require user interaction to be triggered, meaning the act of opening or processing a malicious Excel file can initiate the out-of-bounds read. Automated systems, email gateways, or document preview features could inadvertently trigger exploitation without conscious user action.
Does this vulnerability allow an attacker to modify or delete data?
No. The vulnerability is limited to information disclosure via out-of-bounds read. It does not provide write access or the ability to modify, delete, or corrupt data. However, information exposure can be a precursor to further attacks, such as credential harvesting or targeted social engineering.
Are cloud-based deployments of Office 365/Microsoft 365 also affected?
Yes, Microsoft 365 Apps and Office Online Server are listed among affected products. Cloud tenants relying on these services should confirm patch status with Microsoft and monitor deployment notifications, as Microsoft manages patching for cloud services.
What should I do if I cannot patch immediately?
Until patches are applied, minimize exposure by restricting processing of untrusted Excel files, disabling Excel preview features in email clients, sandboxing external files, and increasing monitoring of file handling processes. Implement network segmentation to limit lateral movement if information exposure occurs.
This analysis is based on publicly available vulnerability data and vendor advisories as of the publication date. Patch availability, version numbers, and remediation timelines should be verified directly against Microsoft's official Security Update Guide and product documentation. Organizations should conduct their own risk assessment and testing before deploying patches to production systems. This advisory does not constitute legal, compliance, or investment advice. SEC.co makes no warranty regarding the completeness or accuracy of this analysis relative to future disclosures or vendor updates. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10889HIGHCritical ANGLE Sandbox Escape in Google Chrome – Patch to 149.0.7827.53
- CVE-2026-10927HIGHChrome Sandbox Escape via Dawn Out-of-Bounds Read
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-11015HIGHCritical Chrome WebGPU Out-of-Bounds Read Vulnerability
- CVE-2026-11077HIGHChrome Dawn Graphics Vulnerability – Sandbox Escape Risk
- CVE-2026-11091HIGHCritical Chrome Memory Corruption Vulnerability in Dawn Graphics Engine
- CVE-2026-11111HIGHChrome Out-of-Bounds Read in ANGLE Graphics Engine — Patch Guidance
- CVE-2026-11191HIGHOut-of-Bounds Memory Access in Chrome ANGLE Library