HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-44818Published Modified CNA microsoft

CVE-2026-44818: Microsoft Excel Remote Code Execution Vulnerability

Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Metrics

CVSS v3.1
7.0
Severity
HIGH
Fixed in
16.0.5556.1001
Affected Products
9

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An integer underflow vulnerability in Microsoft Excel allows an attacker to execute arbitrary code on a victim's machine. The attack is local and requires no authentication, but the victim must open a specially crafted Excel file, making social engineering the delivery mechanism. Successful exploitation gives the attacker full code execution with the victim's privileges, enabling data theft, file modification, or further system compromise. Patched-image rebuilds at versions 16.0.5556.1001 and 16.0.10417.20137 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment - the CVE is matched against customer images within minutes of publication from upstream feeds, including custom-built images that bundle Microsoft Office components. Any image in a customer registry or CI/CD pipeline carrying an affected Excel version is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 7.0 (High) and applies per-environment compliance policy weighting to prioritize alerting and route findings to the appropriate team inbox within each customer organization. Environments with stricter desktop-software policies will see this surfaced at elevated priority relative to the base score.

Available
Patch

A patched-image rebuild at the fixed versions (16.0.5556.1001 for Excel 2016, and the releases listed at the Microsoft Office Security Releases page for other affected products) is available for environments running an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network-facing service is involved in triggering the vulnerability.

  • AuthenticationNot required

    No credentials or account privileges are required - the attacker relies on the victim opening a malicious file rather than any authenticated session.

  • Victim interactionRequired

    The victim must open a specially crafted Excel file, making this a social-engineering-dependent attack delivered via phishing, shared drives, or similar means.

  • Attack complexityDetail

    Attack complexity is rated High, meaning reliable exploitation depends on environmental factors such as specific memory layout or timing conditions that are not fully under the attacker's control.

Blast Radius

  • The attacker executes arbitrary code in the context of the victim user, gaining the same file-system and process permissions as that user.
  • Sensitive files accessible to the victim (documents, credentials, tokens stored on disk) can be read and exfiltrated.
  • The attacker can write or modify files and persisted data within the victim's permissions scope, including Office documents and configuration files.
  • The affected Excel process and any dependent processes can be terminated or destabilized, disrupting the user's work environment.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any customer image that includes an affected Microsoft Excel or Office component, covering the full range of 2016, 2019, LTSC 2021, LTSC 2024, and 365 Apps versions listed in the advisory. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the patched version, runs a regression test, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy permits, this flow runs without manual intervention. Environments running Mac variants (Microsoft Office 365 for Mac, LTSC for Mac 2021, LTSC for Mac 2024) should consult the Microsoft Office Security Releases page directly, as those products are listed as affected without a discrete version number in the advisory record. HarborGuard will re-evaluate those entries on each ingest cycle and make a patched rebuild available as soon as version information is confirmed upstream.

See how HarborGuard automates this

Fix available

16.0.5556.100116.0.10417.20137https://aka.ms/OfficeSecurityReleases
Patch commits
Affected packages
  • Microsoft / Microsoft 365 Apps for Enterprise
    < https://aka.ms/OfficeSecurityReleases (from 16.0.1)
  • Microsoft / Microsoft Excel 2016
    < 16.0.5556.1001 (from 16.0.0.0)
  • Microsoft / Microsoft Office 2019
    < https://aka.ms/OfficeSecurityReleases (from 19.0.0)
  • Microsoft / Microsoft Office 365 for Mac
    -
  • Microsoft / Microsoft Office LTSC 2021
    < https://aka.ms/OfficeSecurityReleases (from 16.0.1)
  • Microsoft / Microsoft Office LTSC 2024
    < https://aka.ms/OfficeSecurityReleases (from 16.0.0)
  • Microsoft / Microsoft Office LTSC for Mac 2021
    -
  • Microsoft / Microsoft Office LTSC for Mac 2024
    -
  • Microsoft / Office Online Server
    < 16.0.10417.20137 (from 16.0.0.0)
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References