HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45469Published Modified CNA microsoft

CVE-2026-45469: Microsoft Excel Remote Code Execution Vulnerability

Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
16.0.5556.1001
Affected Products
9

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An integer underflow vulnerability in Microsoft Excel allows an attacker to execute arbitrary code on the victim's machine. The attack is local and requires no authentication, but the victim must open a specially crafted Excel file, making this a file-based social-engineering exploit. Successful exploitation gives the attacker full code execution with the privileges of the user running Excel, enabling complete compromise of confidentiality, integrity, and availability of that user's environment. Patched-image rebuilds at versions 16.0.5556.1001 and 16.0.10417.20137 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection of CVE-2026-45469 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication, including custom-built images that bundle Microsoft Office or Excel components. HarborGuard ingests from upstream advisory feeds continuously, so any image carrying an affected Excel version is flagged as soon as the record is ingested.

Available
Triage

Triage is available with CVSS v3.1 scoring at 7.8 (HIGH), weighted against each customer environment's compliance policy to prioritize and route findings to the appropriate team inbox. Per-environment policy weighting allows organizations to escalate or suppress the finding based on their own risk thresholds and workload context.

Available
Patch

A patched-image rebuild at versions 16.0.5556.1001 or 16.0.10417.20137 becomes available for any HarborGuard-managed image carrying an affected Excel version once the fix is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network-accessible service is required to trigger the vulnerability.

  • AuthenticationNot required

    No account or credentials are required; the attacker only needs to get a crafted file in front of the victim.

  • Victim interactionRequired

    The victim must open a malicious Excel file, which requires a social-engineering step such as a phishing email or a malicious download.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors beyond the victim opening the file.

Blast Radius

  • Reads files and data accessible to the user running Excel, including stored credentials, documents, and session tokens.
  • Writes or modifies files and registry entries within the user's permissions, allowing persistence mechanisms or data tampering.
  • Crashes or disrupts the Excel process and potentially other processes running under the same user context.
  • Executes arbitrary code at the victim user's privilege level, enabling installation of malware or lateral movement within the host.

How HarborGuard Handles This

Available on HarborGuard: detection, triage, and patched-image rebuild for CVE-2026-45469. Any image in a customer registry or build pipeline that packages an affected version of Microsoft Excel is matched automatically within minutes of CVE ingestion. For customers who opt into auto-remediation, HarborGuard rebuilds the image at a fixed version (16.0.5556.1001 for Excel 2016, or the release referenced at aka.ms/OfficeSecurityReleases for M365 and LTSC channels), runs a regression test suite against the rebuilt image, and opens a pull request against affected workloads. Median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy restricts auto-remediation, the finding is routed to the team inbox with full CVSS context and fix-version details so engineers can act manually. Because this exploit requires victim interaction via a crafted file rather than a network-exposed service, container images that do not embed Excel components are not affected and will not be flagged.

See how HarborGuard automates this

Fix available

16.0.5556.100116.0.10417.20137https://aka.ms/OfficeSecurityReleases
Patch commits
Affected packages
  • Microsoft / Microsoft 365 Apps for Enterprise
    < https://aka.ms/OfficeSecurityReleases (from 16.0.1)
  • Microsoft / Microsoft Excel 2016
    < 16.0.5556.1001 (from 16.0.0.0)
  • Microsoft / Microsoft Office 2019
    < https://aka.ms/OfficeSecurityReleases (from 19.0.0)
  • Microsoft / Microsoft Office 365 for Mac
    -
  • Microsoft / Microsoft Office LTSC 2021
    < https://aka.ms/OfficeSecurityReleases (from 16.0.1)
  • Microsoft / Microsoft Office LTSC 2024
    < https://aka.ms/OfficeSecurityReleases (from 16.0.0)
  • Microsoft / Microsoft Office LTSC for Mac 2021
    -
  • Microsoft / Microsoft Office LTSC for Mac 2024
    -
  • Microsoft / Office Online Server
    < 16.0.10417.20137 (from 16.0.0.0)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References