HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-44820Published Modified CNA microsoft

CVE-2026-44820: Microsoft Excel Remote Code Execution Vulnerability

Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
16.0.5556.1001
Affected Products
9

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An integer underflow vulnerability in Microsoft Excel allows an attacker to execute arbitrary code on the local machine. The attack is launched locally and requires no prior authentication, but the victim must open a specially crafted Excel file. Successful exploitation gives the attacker full code execution in the context of the logged-in user, enabling data theft, file modification, or further system compromise. Patched-image rebuilds at versions 16.0.5556.1001 and 16.0.10417.20137 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Microsoft Office components.

Available
Triage

HarborGuard scores this CVE at 7.8 HIGH using the CVSS v3.1 base score and weights it against each environment's compliance policy to prioritize routing; findings are dispatched to the appropriate team inbox within each customer organization automatically.

Available
Patch

A patched-image rebuild at versions 16.0.5556.1001 and 16.0.10417.20137 becomes available on HarborGuard for any image found to contain an affected Excel or Office installation. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network exposure is required to trigger the vulnerability.

  • AuthenticationNot required

    No account or credential is required before attempting exploitation; the attack is available to any unprivileged local party.

  • Victim interactionRequired

    The victim must open a malicious Excel file, making this a social-engineering vector where the attacker must deliver a crafted document.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, special memory layout, or other environmental preconditions.

Blast Radius

  • Reads files and data accessible to the logged-in user, including documents, credentials stored on disk, and session material.
  • Writes or modifies files in any location the victim user can access, including configuration files and scripts.
  • Executes arbitrary processes under the victim user account, enabling installation of persistence mechanisms or lateral-movement tooling.
  • Crashes or destabilizes the Excel process and any dependent workflows running under the same user session.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-44820 is active across all connected registries and pipelines, matching any image that bundles an affected version of Microsoft Excel or Office. Where compliance policy permits, auto-remediation customers receive a rebuilt image at the patched version (16.0.5556.1001 for Excel 2016, or the channel release referenced at aka.ms/OfficeSecurityReleases for Microsoft 365 and LTSC products), followed by an automated regression run and a pull request opened against affected workloads. For environments with auto-remediation enabled, median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes. Customers who manage remediation manually can review the finding in their HarborGuard dashboard, where each affected image is listed alongside the fix version and the upstream advisory link for full context.

See how HarborGuard automates this

Fix available

16.0.5556.100116.0.10417.20137https://aka.ms/OfficeSecurityReleases
Patch commits
Affected packages
  • Microsoft / Microsoft 365 Apps for Enterprise
    < https://aka.ms/OfficeSecurityReleases (from 16.0.1)
  • Microsoft / Microsoft Excel 2016
    < 16.0.5556.1001 (from 16.0.0.0)
  • Microsoft / Microsoft Office 2019
    < https://aka.ms/OfficeSecurityReleases (from 19.0.0)
  • Microsoft / Microsoft Office 365 for Mac
    -
  • Microsoft / Microsoft Office LTSC 2021
    < https://aka.ms/OfficeSecurityReleases (from 16.0.1)
  • Microsoft / Microsoft Office LTSC 2024
    < https://aka.ms/OfficeSecurityReleases (from 16.0.0)
  • Microsoft / Microsoft Office LTSC for Mac 2021
    -
  • Microsoft / Microsoft Office LTSC for Mac 2024
    -
  • Microsoft / Office Online Server
    < 16.0.10417.20137 (from 16.0.0.0)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References