HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-44817Published Modified CNA microsoft

CVE-2026-44817: Microsoft Excel Remote Code Execution Vulnerability

Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
16.0.5556.1001
Affected Products
9

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An integer underflow vulnerability in Microsoft Excel allows an attacker to execute arbitrary code on the victim's machine. The attack is local and requires no prior authentication, but the victim must open a malicious Excel file, making it a file-based social-engineering attack. Successful exploitation gives the attacker full code execution with the privileges of the user running Excel. Patched-image rebuilds at versions 16.0.5556.1001 and 16.0.10417.20137 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection for CVE-2026-44817 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle Microsoft Office or Excel components. Any image in a customer registry or build pipeline containing an affected Excel version is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 7.8 HIGH using the CVSS v3.1 base score and surfaces it with per-environment compliance policy weighting applied, so teams with stricter baselines see it elevated accordingly. Triage results route to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild targeting versions 16.0.5556.1001 or 16.0.10417.20137 becomes available through HarborGuard once the upstream fix is confirmed for a given product channel. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host, or delivers a malicious file through other means; no network-exposed service is targeted directly.

  • AuthenticationNot required

    No account or credentials on the target system are required before exploitation; the attacker relies entirely on file delivery to the victim.

  • Victim interactionRequired

    The victim must open a specially crafted Excel file, making this a social-engineering attack (for example, a phishing email with a malicious attachment).

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other environmental factors beyond the victim opening the file.

Blast Radius

  • The attacker executes arbitrary code in the context of the user running Excel, gaining the same file-system and process permissions as that user.
  • Confidential documents, saved credentials, and other files accessible to the user account are readable by the attacker.
  • The attacker can write or modify files on the host, including dropping persistent payloads or altering application data.
  • The Excel process and dependent functionality can be crashed or destabilized, disrupting the user's work session.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-44817 activates the moment the advisory is ingested, flagging any image containing an affected Excel or Office component version. For environments running Microsoft Excel 2016 below 16.0.5556.1001 or other affected Office channels, a patched-image rebuild at the appropriate fix version is available. Where compliance policy permits auto-remediation, HarborGuard performs the rebuild, executes a regression test run, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. For environments where auto-remediation is not enabled, the flagged finding appears in the team inbox with fix-version details attached so engineers can act manually. Note that Microsoft Office for Mac variants listed without explicit fix versions are tracked continuously, and HarborGuard will make a rebuild available as soon as Microsoft publishes version details for those channels.

See how HarborGuard automates this

Fix available

16.0.5556.100116.0.10417.20137https://aka.ms/OfficeSecurityReleases
Patch commits
Affected packages
  • Microsoft / Microsoft 365 Apps for Enterprise
    < https://aka.ms/OfficeSecurityReleases (from 16.0.1)
  • Microsoft / Microsoft Excel 2016
    < 16.0.5556.1001 (from 16.0.0.0)
  • Microsoft / Microsoft Office 2019
    < https://aka.ms/OfficeSecurityReleases (from 19.0.0)
  • Microsoft / Microsoft Office 365 for Mac
    -
  • Microsoft / Microsoft Office LTSC 2021
    < https://aka.ms/OfficeSecurityReleases (from 16.0.1)
  • Microsoft / Microsoft Office LTSC 2024
    < https://aka.ms/OfficeSecurityReleases (from 16.0.0)
  • Microsoft / Microsoft Office LTSC for Mac 2021
    -
  • Microsoft / Microsoft Office LTSC for Mac 2024
    -
  • Microsoft / Office Online Server
    < 16.0.10417.20137 (from 16.0.0.0)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References