A critical heap-based buffer overflow vulnerability in Microsoft Office, tracked as CVE-2026-42831, was disclosed on May 12, 2026, as part of Microsoft’s May Patch Tuesday update cycle that addressed a staggering 132 CVEs across 20 product families.
Assigned a CVSS score of 7.8 (base) and 6.8 (temporal), this Critical-severity flaw allows an unauthorized attacker to remotely trigger local code execution by weaponizing a malicious Office file.
With patches already available for Office LTSC for Mac 2024, Office LTSC for Mac 2021, and Microsoft Office for Android, enterprise and mobile users face an urgent patching deadline before attackers can operationalize the disclosed details.
At its core, CVE-2026-42831 is a CWE-122 heap-based buffer overflow, a memory corruption class in which data is written beyond the allocated boundaries of a heap buffer.
When Microsoft Office processes a specially crafted malicious document, the vulnerable code path fails to properly validate input size against its allocated buffer, creating a window for attackers to corrupt heap memory and seize control of execution flow.
The vulnerability was reported by security researcher pwn2addr and acknowledged through Microsoft’s coordinated vulnerability disclosure program.
Microsoft Office RCE Vulnerability
Despite the “Remote Code Execution” label in the CVE title, Microsoft’s CVSS vector string (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) clearly marks the attack vector as Local (AV:L).
This nuance is deliberate; the attacker operates remotely, but the exploit itself executes locally on the victim’s machine, a pattern Microsoft often calls Arbitrary Code Execution (ACE). The attack requires no privileges from the attacker but does require the victim to open a malicious file, making social engineering the primary delivery mechanism.
Microsoft’s May 12, 2026, security update addresses CVE-2026-42831 across three specific products:
| Product | Fixed Build Number | Update Channel |
|---|---|---|
| Microsoft Office LTSC for Mac 2024 | 16.109.26051019 | Manual / Enterprise |
| Microsoft Office LTSC for Mac 2021 | 16.109.26051019 | Manual / Enterprise |
| Microsoft Office for Android | 16.0.19822.20190 | Google Play Store |
All three product updates are marked as customer action required, meaning automatic patching alone cannot be assumed; administrators must verify actual build versions against these fixed numbers.
Security analysts at WindowsForum warn that the absence of public exploit code provides no real comfort. The moment patches are released, sophisticated threat actors begin patch diffing, comparing pre- and post-patch binaries to reverse-engineer the vulnerable code path.
The office’s enormous global install base makes that investment commercially attractive to criminal ecosystems. The exploit chain is deceptively simple: an attacker crafts a malicious Office document, delivers it via email, SharePoint, OneDrive, Teams, or even a trusted vendor portal, and waits for the target to open it.
Finance teams opening spreadsheets, HR departments processing resumes, and legal teams handling Word documents are all viable targets; every business workflow that touches Office content becomes a potential entry point.
What makes this class of vulnerability particularly corrosive is Office’s compatibility burden. The Office is designed to open old, malformed, third-party, and legacy documents, dramatically expanding its parser’s attack surface. Neither firewalls nor email gateways can reliably stop a malicious file arriving through an approved, trusted workflow.
As of May 12, 2026, Microsoft has assessed CVE-2026-42831 with the following threat posture:
- Publicly Disclosed: No
- Actively Exploited: No
- Exploit Code Maturity: Unproven
- Exploitability Assessment: Exploitation Unlikely
- Remediation Level: Official Fix Available
- Report Confidence: Confirmed
While the “Exploitation Unlikely” rating offers a temporary buffer, security professionals warn that this window is narrow. May 2026’s broader Patch Tuesday batch included 29 Critical-severity CVEs and 13 issues flagged as likely to be exploited within 30 days in a threat-dense environment where attackers actively harvest low-hanging fruit.
Notably, CVE-2026-42831 appeared alongside six other Office RCE vulnerabilities (CVE-2026-40358, CVE-2026-40361, CVE-2026-40363, CVE-2026-40364, CVE-2026-40366, CVE-2026-40367), several of which are exploitable via the Outlook Preview Pane, sharply amplifying the overall document-based threat surface.
Mitigation
Organizations should treat CVE-2026-42831 as a priority remediation item, especially in mixed Office environments. Recommended actions include:
- Apply patches immediately – Verify Office build numbers match the fixed versions listed above; Click-to-Run channel updates and enterprise managed deployments must be confirmed separately
- Prioritize high-risk users: Finance, HR, legal, sales, and executive support teams that regularly receive external documents should be patched first.
- Enforce application restarts: Downloaded Office updates are not applied until applications fully close and restart. Enforce this via maintenance windows or Intune policies.
- Enable Attack Surface Reduction (ASR) rules – Block Office from spawning child processes, writing executable content, and launching script interpreters.
- Audit unsupported Office versions – Legacy or EOL Office builds may share the same vulnerable code paths and will not receive official fixes.
- Correlate endpoint telemetry – Monitor for Office spawning PowerShell, cmd.exe, mshta, rundll32, or making unusual outbound network connections
FAQ
Q1: Why is CVE-2026-42831 called “Remote Code Execution” if the attack vector is Local?
The “Remote” in the title refers to the attacker’s location, not the exploit mechanism. The attacker sends a malicious file from a remote location, but the code executes locally on the victim’s machine when the file is opened.
Q2: What user action is required to trigger this vulnerability?
A victim must open a malicious Office file sent by the attacker. No zero-click or Preview Pane exploitation vector has been confirmed for this CVE.
Q3: Is the Outlook Preview Pane an attack vector for CVE-2026-42831?
No, Microsoft has confirmed the Outlook Preview Pane is not an attack vector for this specific vulnerability, unlike several other Office RCEs patched simultaneously in May 2026.
Q4: Which Microsoft Office versions are currently patched against CVE-2026-42831?
Security updates have been released for Microsoft Office LTSC for Mac 2024, Office LTSC for Mac 2021 (both build 16.109.26051019), and Microsoft Office for Android (build 16.0.19822.20190).
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
