A critical-class spoofing vulnerability, tracked as CVE-2026-42832, has been officially disclosed by Microsoft, affecting multiple versions of Microsoft Office across macOS and Android.
Discovered during Microsoft’s May 12, 2026, Patch Tuesday cycle, which patched a sweeping 120 to 132 vulnerabilities across its entire software portfolio, this flaw allows a local unauthorized attacker to conduct spoofing attacks by exploiting improper access control mechanisms within the Office suite.
CVE-2026-42832 is rooted in CWE-284: Improper Access Control, a weakness class defined by MITRE as a failure to restrict or correctly enforce access to a resource from an unauthorized actor.
In the context of Microsoft Office, this means the application fails to properly validate trust boundaries locally, allowing a malicious actor to craft or modify content that the Office suite treats as trusted, thereby deceiving end users.
The vulnerability carries a CVSS 3.1 base score of 7.7, categorizing it as high severity, with a temporal score of 6.7 after accounting for official remediation and low exploit code maturity.
CVE-2026-42832: Microsoft Office Spoofing Vulnerability
The attack vector is local, requiring no elevated privileges and no user interaction, a combination that makes the flaw particularly deceptive in shared or multi-user computing environments.
The confidentiality and integrity impact are both rated High, meaning successful exploitation could allow attackers to manipulate document authenticity, alter how content appears to originate, or deceive users about the safety state of files they are handling.
Microsoft confirmed the vulnerability impacts four specific Office products, all requiring immediate customer action:
- Microsoft Office LTSC for Mac 2024 – Build 16.109.26051019
- Microsoft Office LTSC for Mac 2021 – Build 16.109.26051019
- Microsoft Excel for Android – Build 16.0.19822.20190
- Microsoft Word for Android – Build 16.0.19822.20190
All four were patched on May 12, 2026, as part of the same Patch Tuesday release cycle. Organizations running these Office versions on macOS or Android devices should treat patching as a priority operational task, not a delayed action item.
Spoofing vulnerabilities in Office are not headline-grabbing remote code execution flaws, but they are operationally dangerous in targeted attack chains. A spoofing issue in Office can manipulate how content appears to originate, how a file is represented, how a link is displayed, or how the application communicates a safety state to the user.
When an attacker controls these trust signals, even locally, they can stage convincing document-based phishing attacks, abuse macro execution contexts, or manipulate file source indicators to bypass organizational security policies.
The flaw enables a malicious user with local access to craft content that the Office suite will treat as trusted, effectively deceiving the user into believing a document or link is legitimate when it is not. This kind of trust-layer manipulation is a foundational technique in social engineering campaigns targeting enterprise environments.
CVE-2026-42832 was one of 13 spoofing vulnerabilities patched in Microsoft’s May 2026 Patch Tuesday cycle, alongside 31 remote code execution flaws, 61 elevation-of-privilege vulnerabilities, and 14 information disclosure bugs.
The month’s critical CVEs include multiple Office, Word, and Excel RCE vulnerabilities such as CVE-2026-40359, CVE-2026-40362, and CVE-2026-40366, several of which can be triggered via the Office Preview Pane.
Security administrators are being urged to prioritize Office-related patch deployments, especially in organizations where employees regularly handle external email attachments.
While CVE-2026-42832 has not been publicly disclosed or actively exploited in the wild, and carries a very low EPSS score of 0.00042, the lack of active exploitation does not eliminate risk; it simply means the current threat window remains narrow.
Historical patterns show that once spoofing vulnerabilities are publicly detailed post-patch, threat actors rapidly develop proof-of-concept exploits to layer into existing attack frameworks.
Microsoft’s exploitability assessment classifies this vulnerability as Exploitation Unlikely, with no evidence of public disclosure or active in-the-wild exploitation as of the original publication date.
The vulnerability was responsibly disclosed to Microsoft by security researcher Yanir Tsarimi through coordinated vulnerability disclosure. Exploit code maturity is listed as “Unproven,” and the official fix has been confirmed and released.
Mitigation
Security teams should immediately apply the May 12, 2026, security updates for all affected Office products. Specific guidance:
- macOS users running Office LTSC 2021 or 2024 should update to build 16.109.26051019 via Microsoft AutoUpdate
- Android users of Excel and Word should update to build 16.0.19822.20190 via the Google Play Store.
- Apply the principle of least privilege to limit local attacker access on shared systems.
- Monitor for unusual document trust behavior or unexpected macro execution in Office environments.
- Cross-reference your environment against Microsoft’s full May 2026 Security Update Guide for any co-existing vulnerabilities that could be chained with CVE-2026-42832.
FAQ
Q1: What is CVE-2026-42832?
It is a Microsoft Office spoofing vulnerability caused by improper access control (CWE-284) that lets a local unauthorized attacker forge or manipulate trusted content within Office applications.
Q2: Is the Preview Pane an attack vector for CVE-2026-42832?
No, Microsoft has explicitly confirmed the Preview Pane is not an attack vector for this specific vulnerability.
Q3: Which Office products are affected by CVE-2026-42832?
Microsoft Office LTSC for Mac 2021, Office LTSC for Mac 2024, Microsoft Excel for Android, and Microsoft Word for Android are all affected and require patching.
Q4: Has CVE-2026-42832 been actively exploited in the wild?
As of May 12, 2026, Microsoft rates exploitation as unlikely, with no public disclosure or confirmed in-the-wild exploitation reported.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
