HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-44823Published Modified CNA microsoft

CVE-2026-44823: Microsoft Excel Remote Code Execution Vulnerability

Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
16.0.5556.1001
Affected Products
9

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An integer underflow vulnerability in Microsoft Excel allows an attacker to trigger arbitrary code execution on the local machine. The attack is local in delivery and requires no prior authentication, but does require the victim to open a malicious file. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected system. Patched-image rebuilds at versions 16.0.5556.1001 and 16.0.10417.20137 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection for CVE-2026-44823 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle Microsoft Office components. Any image found to carry an affected Excel version is flagged immediately in the customer registry and pipeline scan results.

Available
Triage

HarborGuard scores this CVE at 7.8 HIGH using the CVSS v3.1 base score and can weight that score further against each environment's compliance policy, for example elevating priority in regulated workloads. Findings are routed to the appropriate team inbox within each customer organization based on policy-defined ownership rules.

Available
Patch

A patched-image rebuild targeting versions 16.0.5556.1001 or 16.0.10417.20137 (per product variant) becomes available on HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network-accessible service is required to trigger the vulnerability.

  • AuthenticationNot required

    No account or credentials are required before the attack can begin; the vulnerability is reachable by any unauthenticated local context.

  • Victim interactionRequired

    The victim must open a specially crafted Excel file, making this a social-engineering vector that relies on file delivery via email, download, or shared storage.

  • Attack complexityDetail

    Exploit complexity is low, meaning the attack is reliable and requires no special race conditions, memory-layout knowledge, or environmental setup beyond delivering the malicious file.

Blast Radius

  • The attacker executes arbitrary code in the context of the user who opened the file, giving full control over that user session.
  • All files and data readable by the victim user can be accessed and exfiltrated.
  • The attacker can modify or delete files, registry entries, and persisted data accessible to the victim account.
  • The affected Excel process and any dependent services can be crashed or made unavailable.

How HarborGuard Handles This

Available on HarborGuard: for any image found to contain an affected Excel or Office component, a rebuilt image targeting the vendor-patched versions (16.0.5556.1001 for Excel 2016, or the channel-specific release referenced at the Microsoft Office Security Releases page for other products) is made available as soon as the upstream fix is confirmed in HarborGuard's feed. For customers who opt into auto-remediation, the typical flow is a patched rebuild, an automated regression run, and a pull request opened against affected workloads; for high-severity issues, median time from CVE publication to merged patch PR in auto-remediation environments is around 90 minutes. Where compliance policy permits, customers can also enforce network-policy isolation on workloads that mount or process Office documents as a compensating control while upgrades are staged.

See how HarborGuard automates this

Fix available

16.0.5556.100116.0.10417.20137https://aka.ms/OfficeSecurityReleases
Patch commits
Affected packages
  • Microsoft / Microsoft 365 Apps for Enterprise
    < https://aka.ms/OfficeSecurityReleases (from 16.0.1)
  • Microsoft / Microsoft Excel 2016
    < 16.0.5556.1001 (from 16.0.0.0)
  • Microsoft / Microsoft Office 2019
    < https://aka.ms/OfficeSecurityReleases (from 19.0.0)
  • Microsoft / Microsoft Office 365 for Mac
    -
  • Microsoft / Microsoft Office LTSC 2021
    < https://aka.ms/OfficeSecurityReleases (from 16.0.1)
  • Microsoft / Microsoft Office LTSC 2024
    < https://aka.ms/OfficeSecurityReleases (from 16.0.0)
  • Microsoft / Microsoft Office LTSC for Mac 2021
    -
  • Microsoft / Microsoft Office LTSC for Mac 2024
    -
  • Microsoft / Office Online Server
    < 16.0.10417.20137 (from 16.0.0.0)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References