HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-44824Published Modified CNA microsoft

CVE-2026-44824: Microsoft Office Remote Code Execution Vulnerability

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
16.0.5556.1005
Affected Products
11

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Heap-based buffer overflow in Microsoft Office allows an attacker to execute arbitrary code on the local machine. The vulnerability is triggered locally when a user opens or interacts with a malicious file, requiring no authentication but needing the victim to take that action. Successful exploitation gives the attacker full code execution in the context of the logged-in user, enabling data theft, file modification, or further system compromise. Patched-image rebuilds at versions 16.0.5556.1005, 16.0.10417.20153, and 16.0.19725.20384 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-44824 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream feeds, including custom-built images that bundle Microsoft Office components. The capability covers all image layers and package manifests in connected registries and CI/CD pipelines.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 7.8 HIGH and weighting it against each environment's compliance policy to determine priority. Triage routing to the appropriate team inbox inside each customer organization is available as part of the standard pipeline flow.

Available
Patch

A patched-image rebuild at the applicable fix version (16.0.5556.1005 for Office 2016, or the channel-specific releases listed at aka.ms/OfficeSecurityReleases for other products) becomes available on HarborGuard once the upstream package is published. For customers who opt into auto-remediation, the pipeline performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network-exposed service is required to trigger this vulnerability.

  • AuthenticationNot required

    No account or credentials are needed; the attacker only needs the ability to deliver a malicious file to the target system.

  • Victim interactionRequired

    The victim must open or otherwise interact with a crafted Office document, making this a social-engineering-dependent exploit path.

  • Attack complexityDetail

    The exploit is reliable and condition-free once the victim opens the file; no race conditions or specific memory layout requirements are noted.

Blast Radius

  • Reads files and credentials accessible to the logged-in user, including stored Office documents, browser credential stores, and local configuration files.
  • Modifies or deletes files on the local filesystem within the user's permission scope, including documents, scripts, and application data.
  • Executes arbitrary processes under the victim's user context, enabling installation of malware, keyloggers, or lateral-movement tooling.
  • Crashes or corrupts the Office application process, causing loss of unsaved work and potential data corruption in open files.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-44824 is active across all connected registries and pipelines, matching images that bundle affected Microsoft Office builds against the published fix versions. Where an affected version is identified and a patched upstream package is available, a rebuilt image is made available automatically. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes a regression run, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is surfaced in the triage queue with fix-version detail so engineers can act manually. For Mac variants listed without a pinned fix version, HarborGuard re-checks the advisory each ingest cycle and will make a patched rebuild available the moment the upstream fix is confirmed published.

See how HarborGuard automates this

Fix available

16.0.5556.100516.0.10417.2015316.0.19725.20384https://aka.ms/OfficeSecurityReleases
Patch commits
Affected packages
  • Microsoft / Microsoft 365 Apps for Enterprise
    < https://aka.ms/OfficeSecurityReleases (from 16.0.1)
  • Microsoft / Microsoft Office 2016
    < 16.0.5556.1005 (from 16.0.0)
  • Microsoft / Microsoft Office 2019
    < https://aka.ms/OfficeSecurityReleases (from 19.0.0)
  • Microsoft / Microsoft Office 365 for Mac
    -
  • Microsoft / Microsoft Office LTSC 2021
    < https://aka.ms/OfficeSecurityReleases (from 16.0.1)
  • Microsoft / Microsoft Office LTSC 2024
    < https://aka.ms/OfficeSecurityReleases (from 16.0.0)
  • Microsoft / Microsoft Office LTSC for Mac 2021
    -
  • Microsoft / Microsoft Office LTSC for Mac 2024
    -
  • Microsoft / Microsoft SharePoint Enterprise Server 2016
    < 16.0.5556.1005 (from 16.0.0)
  • Microsoft / Microsoft SharePoint Server 2019
    < 16.0.10417.20153 (from 16.0.0)
  • Microsoft / Microsoft SharePoint Server Subscription Edition
    < 16.0.19725.20384 (from 16.0.0)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References