Microsoft Patches Repeated Remote Code Execution Flaws Across Office Apps
Microsoft published a long series of security advisories for remote code execution vulnerabilities affecting core Office components, with the largest concentration in Excel and Word. The disclosures include Excel flaws such as CVE-2024-49026, CVE-2024-49069, CVE-2025-21362, CVE-2025-21381, CVE-2025-21387, CVE-2025-24082, CVE-2025-62553, CVE-2026-26107, CVE-2026-26109, CVE-2026-26112, and CVE-2026-40359, alongside Word issues including CVE-2025-24077, CVE-2025-24078, CVE-2025-47170, CVE-2025-49700, CVE-2025-59222, CVE-2026-23657, and CVE-2026-33095. Microsoft also listed related RCE bugs in Microsoft Office (CVE-2025-21392), PowerPoint (CVE-2025-54908), Inbox COM Objects (Global Memory) (CVE-2025-58730), and the Visual Studio Code Python Extension (CVE-2025-49714).
One of the few entries with technical detail, CVE-2026-40359, describes an Important Excel use-after-free flaw (CWE-416) with a CVSS 3.1 score of 7.8 that can let an attacker execute code if a user opens a malicious Office file. Microsoft said the bug was not publicly disclosed, not exploited in the wild, and less likely to be exploited at the time of publication, adding that the Preview Pane is not an attack vector and that a fix is available. Taken together, the advisories show Microsoft continuing to address document-driven code execution risks across Office products, where successful exploitation generally depends on user interaction with crafted files rather than direct network exposure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
35 events from the most recent confirmed update back to the earliest known activity.
Microsoft discloses and fixes Excel RCE flaw CVE-2026-40359
On 2026-05-12, Microsoft disclosed CVE-2026-40359, an Important Excel remote code execution vulnerability caused by a use-after-free flaw. Microsoft said exploitation required user interaction to open a malicious Office file, the Preview Pane was not an attack vector, no in-the-wild exploitation or prior public disclosure was known, and a fix was available; the issue was credited to f4 and Zhiniang Peng of HUST.
Microsoft discloses Excel RCE vulnerability CVE-2026-32197
On 2026-04-14, Microsoft published a Security Update Guide entry for CVE-2026-32197, an Important Microsoft Excel remote code execution vulnerability caused by a use-after-free flaw. Microsoft said exploitation required user interaction to open a malicious Office file, the Preview Pane was not an attack vector, no public disclosure or in-the-wild exploitation was known, and a fix was available.
Microsoft discloses Excel RCE vulnerability CVE-2026-32189
On 2026-04-14, Microsoft published a Security Update Guide entry for CVE-2026-32189, an Important Microsoft Excel remote code execution vulnerability caused by a use-after-free flaw. Microsoft said exploitation required user interaction to open a malicious Office file, the Preview Pane was not an attack vector, no public disclosure or in-the-wild exploitation was known, and a fix was available.
Microsoft publishes April 2026 Word RCE advisories
On 2026-04-14, Microsoft disclosed CVE-2026-23657 and CVE-2026-33095, both Microsoft Word remote code execution vulnerabilities. These entries were part of the April 2026 update cycle.
Microsoft discloses three Excel RCE vulnerabilities in March 2026
On 2026-03-10, Microsoft published Security Update Guide entries for CVE-2026-26107, CVE-2026-26109, and CVE-2026-26112. All three were identified as Microsoft Excel remote code execution vulnerabilities.
Microsoft publishes December 2025 Excel RCE vulnerability CVE-2025-62553
Microsoft released a Security Update Guide entry for CVE-2025-62553, a Microsoft Excel remote code execution vulnerability. The disclosure was published on 2025-12-09.
Microsoft publishes Excel RCE vulnerability CVE-2025-59224
On 2025-10-14, Microsoft published a Security Update Guide entry for CVE-2025-59224, identifying it as a Microsoft Excel remote code execution vulnerability. The disclosure adds another Office document-handling RCE issue to Microsoft's October 2025 release cycle.
Microsoft publishes Excel RCE vulnerability CVE-2025-59223
On 2025-10-14, Microsoft published a Security Update Guide entry for CVE-2025-59223, identifying it as a Microsoft Excel remote code execution vulnerability. The disclosure adds another Office document-handling RCE issue to Microsoft's October 2025 release cycle.
Microsoft releases October 2025 Word and Inbox COM Objects RCE advisories
On 2025-10-14, Microsoft published CVE-2025-59222 affecting Word and CVE-2025-58730 affecting Inbox COM Objects (Global Memory). Both were listed as remote code execution vulnerabilities.
Microsoft publishes Excel RCE vulnerability CVE-2025-54904
Microsoft released a Security Update Guide entry for CVE-2025-54904, identifying it as a Microsoft Excel remote code execution vulnerability. The disclosure was published on 2025-09-09 as part of Microsoft's September 2025 update cycle.
Microsoft publishes PowerPoint RCE vulnerability CVE-2025-54908
Microsoft disclosed CVE-2025-54908 as a Microsoft PowerPoint remote code execution vulnerability in the Security Update Guide. The entry was published on 2025-09-09.
Microsoft discloses Excel RCE vulnerability CVE-2025-49711
On 2025-07-08, Microsoft published a Security Update Guide entry for CVE-2025-49711, identifying it as a Microsoft Excel remote code execution vulnerability. The disclosure adds another Office document-handling RCE issue to Microsoft's July 2025 release cycle.
Microsoft discloses July 2025 Word and VS Code Python extension RCE flaws
On 2025-07-08, Microsoft published entries for CVE-2025-49700 affecting Microsoft Word and CVE-2025-49714 affecting the Visual Studio Code Python Extension. Both were classified as remote code execution vulnerabilities.
Microsoft publishes Word RCE vulnerability CVE-2025-47170
Microsoft released a Security Update Guide entry for CVE-2025-47170, a Microsoft Word remote code execution vulnerability. The disclosure was published on 2025-06-10.
Microsoft publishes Office RCE vulnerability CVE-2025-47173
Microsoft released a Security Update Guide entry for CVE-2025-47173, identifying it as a Microsoft Office remote code execution vulnerability. The disclosure was published on 2025-06-10 as part of Microsoft's June 2025 update cycle.
Microsoft publishes Word RCE vulnerability CVE-2025-24079
On 2025-03-11, Microsoft published a Security Update Guide entry for CVE-2025-24079, identifying it as a Microsoft Word remote code execution vulnerability. The disclosure adds another Office document-handling RCE issue to Microsoft's March 2025 release cycle.
Microsoft discloses Excel RCE vulnerability CVE-2025-24081
On 2025-03-11, Microsoft published a Security Update Guide entry for CVE-2025-24081, identifying it as a Microsoft Excel remote code execution vulnerability. The disclosure adds another Office document-handling RCE issue to Microsoft's March 2025 release cycle.
Microsoft discloses March 2025 Word and Excel RCE flaws
On 2025-03-11, Microsoft published Security Update Guide entries for CVE-2025-24077 and CVE-2025-24078 in Word and CVE-2025-24082 in Excel. The disclosures added multiple Office document-handling remote code execution issues to the March 2025 updates.
Microsoft publishes Office RCE vulnerability CVE-2025-21397
On 2025-02-11, Microsoft published a Security Update Guide entry for CVE-2025-21397, identifying it as a Microsoft Office remote code execution vulnerability. The disclosure adds another Office-related RCE issue to Microsoft's February 2025 release cycle.
Microsoft discloses Excel RCE vulnerability CVE-2025-21394
On 2025-02-11, Microsoft published a Security Update Guide entry for CVE-2025-21394, identifying it as a Microsoft Excel remote code execution vulnerability. The disclosure adds another Office document-handling RCE issue to Microsoft's February 2025 release cycle.
Microsoft publishes February 2025 Office and Excel RCE advisories
On 2025-02-11, Microsoft disclosed CVE-2025-21381 and CVE-2025-21387 affecting Excel, along with CVE-2025-21392 affecting Microsoft Office. These entries indicate multiple remote code execution vulnerabilities addressed in the February 2025 release cycle.
Microsoft discloses Excel RCE vulnerability CVE-2025-21386
On 2025-02-11, Microsoft published a Security Update Guide entry for CVE-2025-21386, identifying it as a Microsoft Excel remote code execution vulnerability. The disclosure adds another Office document-handling RCE issue to Microsoft's February 2025 release cycle.
Microsoft discloses Excel RCE vulnerability CVE-2025-21390
On 2025-02-11, Microsoft published a Security Update Guide entry for CVE-2025-21390, identifying it as a Microsoft Excel remote code execution vulnerability. This adds another Office document-handling RCE issue to Microsoft's February 2025 release cycle.
Microsoft discloses Outlook RCE vulnerability CVE-2025-21361
On 2025-01-14, Microsoft published a Security Update Guide entry for CVE-2025-21361, identifying it as a Microsoft Outlook remote code execution vulnerability. The disclosure adds another Office-related RCE issue to Microsoft's January 2025 release cycle.
Microsoft discloses Excel RCE vulnerability CVE-2025-21354
On 2025-01-14, Microsoft published a Security Update Guide entry for CVE-2025-21354, identifying it as a Microsoft Excel remote code execution vulnerability. The disclosure adds another Office document-handling RCE issue to Microsoft's January 2025 release cycle.
Microsoft discloses Visio RCE vulnerability CVE-2025-21356
On 2025-01-14, Microsoft published a Security Update Guide entry for CVE-2025-21356, identifying it as a Microsoft Office Visio remote code execution vulnerability. The disclosure adds another Office-related RCE issue to Microsoft's January 2025 release cycle.
Microsoft discloses Access RCE vulnerability CVE-2025-21366
On 2025-01-14, Microsoft published a Security Update Guide entry for CVE-2025-21366, identifying it as a Microsoft Access remote code execution vulnerability. The disclosure adds another Office-related RCE issue to Microsoft's January 2025 release cycle.
Microsoft discloses Access RCE vulnerability CVE-2025-21395
On 2025-01-14, Microsoft published a Security Update Guide entry for CVE-2025-21395, identifying it as a Microsoft Access remote code execution vulnerability. The disclosure adds another Office-related RCE issue to Microsoft's January 2025 release cycle.
Microsoft releases January 2025 Office RCE fixes
On 2025-01-14, Microsoft published Security Update Guide entries for CVE-2025-21362, an Excel remote code execution vulnerability. This marks a January Patch Tuesday disclosure affecting Microsoft Office components.
Microsoft discloses CVE-2024-49069 in Excel
Microsoft published a Security Update Guide entry for CVE-2024-49069, identifying another Microsoft Excel remote code execution vulnerability. The disclosure appeared on 2024-12-10.
Microsoft discloses Excel RCE vulnerability CVE-2024-49029
On 2024-11-12, Microsoft published a Security Update Guide entry for CVE-2024-49029, identifying it as a Microsoft Excel remote code execution vulnerability. The disclosure adds another Office document-handling RCE issue to Microsoft's November 2024 update cycle.
Microsoft discloses Excel RCE vulnerability CVE-2024-49028
On 2024-11-12, Microsoft published a Security Update Guide entry for CVE-2024-49028, identifying it as a Microsoft Excel remote code execution vulnerability. The disclosure adds another Office document-handling RCE issue to Microsoft's November 2024 update cycle.
Microsoft discloses Office Graphics RCE vulnerability CVE-2024-49032
On 2024-11-12, Microsoft published a Security Update Guide entry for CVE-2024-49032, identifying it as a Microsoft Office Graphics remote code execution vulnerability. The disclosure adds another Office-related RCE issue to Microsoft's November 2024 update cycle.
Microsoft discloses Excel RCE vulnerability CVE-2024-49027
Microsoft published a Security Update Guide entry for CVE-2024-49027, identifying it as a Microsoft Excel remote code execution vulnerability. The disclosure was published on 2024-11-12 as part of Microsoft's November 2024 update cycle.
Microsoft publishes advisory for CVE-2024-49026 in Excel
Microsoft released a Security Update Guide advisory for CVE-2024-49026, a Microsoft Excel remote code execution vulnerability. The advisory was published on 2024-11-12.
Sources
49 references tracked. Mallory keeps watching after this page renders.
CVE-2026-40359 - Security Update Guide - Microsoft - Microsoft Excel Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-33095 - Security Update Guide - Microsoft - Microsoft Word Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-32189 - Security Update Guide - Microsoft - Microsoft Excel Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-32197 - Security Update Guide - Microsoft - Microsoft Excel Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2024-49026 - Security Update Guide - Microsoft - Microsoft Excel Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2024-49028 - Security Update Guide - Microsoft - Microsoft Excel Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2024-49032 - Security Update Guide - Microsoft - Microsoft Office Graphics Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2024-49027 - Security Update Guide - Microsoft - Microsoft Excel Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft disclosed multiple Office and Excel remote code execution flaws
Microsoft published security advisories for several **remote code execution** vulnerabilities affecting **Microsoft Office** and **Microsoft Excel**, including `CVE-2025-24057`, `CVE-2025-24075`, and `CVE-2025-47162`. The issues were listed in the Microsoft Security Update Guide as Office-family flaws that could allow arbitrary code execution if successfully exploited. The disclosures indicate that the affected attack surface spans both the broader Office suite and Excel specifically, underscoring continued risk from malicious documents and content processed by productivity software. Organizations using Microsoft Office should prioritize review of the relevant advisories and deployment of associated security updates for the affected products tied to these CVEs.
May 25, 2026
Microsoft patches multiple remote code execution flaws in Office and Windows graphics
Microsoft disclosed and patched several remote code execution vulnerabilities affecting **Microsoft Office**, **Excel**, and Windows graphics components, including `CVE-2026-42831`, `CVE-2026-26108`, `CVE-2025-49742`, `CVE-2024-49031`, `CVE-2024-49065`, and `CVE-2026-35421`. The issues span Office document handling, Excel, the **Office Graphics** stack, the **Windows Graphics Component**, and **Windows GDI**, indicating broad exposure across common user-facing software used to process files and render content. Microsoft said `CVE-2026-42831` is a **heap-based buffer overflow** in Microsoft Office that can allow code execution when a user opens a malicious Office file. The flaw carries a **CVSS 7.8** score, requires user interaction, and is **not exploitable through the Preview Pane**; Microsoft also said it was **not publicly disclosed**, **not observed in the wild**, and assessed as **less likely to be exploited**, with a security fix available. The related advisories point to a recurring risk pattern in which crafted documents or graphics content can trigger code execution on victim systems, reinforcing the need to prioritize patching for Office and Windows rendering components.
May 25, 2026
Microsoft Patches Critical Office and Word Use-After-Free RCE Flaws
Microsoft disclosed and fixed two critical use-after-free vulnerabilities affecting **Microsoft Office** and **Microsoft Word**: `CVE-2026-40358` and `CVE-2026-40366`. Both bugs are classified as **CWE-416** and carry a **CVSS 8.4** rating, with Microsoft assessing impacts to confidentiality, integrity, and availability as high. The company said neither flaw had been publicly disclosed or exploited in the wild at the time of publication, and it rated exploitation as less likely. Microsoft said the vulnerabilities can lead to remote code execution, although the attack vector is described as **local**, with the **Preview Pane** able to serve as an attack path when malicious content is handled. The disclosures continue a broader pattern of Microsoft patching multiple remote code execution issues across its product line, including earlier Office flaws such as `CVE-2024-30101`, `CVE-2025-24080`, and `CVE-2025-59234`, as well as RCE bugs in Windows Connected Devices Platform Service, Remote Desktop Protocol, and Inbox COM Objects.
Jun 21, 2026