CVE-2026-20943 Overview
CVE-2026-20943 is an untrusted search path vulnerability in Microsoft Office that enables local code execution. The flaw stems from improper handling of DLL search paths [CWE-426], allowing an attacker to plant a malicious library that Office loads at runtime. Successful exploitation requires user interaction and grants code execution in the context of the user. Microsoft has rated the issue High severity, and the vulnerability affects Microsoft Office 2016, the Office Deployment Tool, and several SharePoint Server editions.
Critical Impact
Attackers can achieve local code execution in Microsoft Office by placing a malicious DLL in an untrusted location, leading to full compromise of confidentiality, integrity, and availability of the user session.
Affected Products
- Microsoft Office 2016 (x64 and x86)
- Microsoft Office Deployment Tool
- Microsoft SharePoint Server 2016 Enterprise, 2019, and Subscription Edition
Discovery Timeline
- 2026-01-13 - CVE-2026-20943 published to the National Vulnerability Database
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2026-20943
Vulnerability Analysis
The vulnerability is classified under [CWE-426] Untrusted Search Path. Microsoft Office components search directories in an order that includes locations writable by an unprivileged user before trusted system paths. An attacker who can place a crafted dynamic-link library (DLL) in such a directory causes Office to load attacker-controlled code at process startup or when a feature is invoked.
The attack is local, requires user interaction, and has high attack complexity. Exploitation yields code execution under the user's credentials, compromising confidentiality, integrity, and availability of accessible data. The EPSS forecast indicates a low near-term exploitation probability, but the impact remains significant for environments where users routinely open documents from network shares or removable media.
Root Cause
The root cause is insecure DLL search order behavior in Office binaries. When the loader resolves a library name, it consults the application's working directory or a user-controlled path before authoritative system directories. This permits DLL planting and DLL preloading attacks against Office processes.
Attack Vector
An attacker delivers a malicious DLL together with an Office document, typically in a ZIP archive, network share, or USB drive. When the victim opens the document from that directory, Office resolves a referenced library name to the attacker's DLL and executes its DllMain routine. No elevated privileges are required, but the user must open the document, which satisfies the user interaction requirement.
The vulnerability mechanism follows the classic DLL search-order hijack pattern. No verified proof-of-concept code is publicly available. Refer to the Microsoft Security Update Guide for CVE-2026-20943 for vendor technical details.
Detection Methods for CVE-2026-20943
Indicators of Compromise
- Unexpected DLL files co-located with Office documents (.docx, .xlsx, .pptx) in user directories, network shares, or removable media.
- Office processes such as WINWORD.EXE, EXCEL.EXE, or POWERPNT.EXE loading unsigned or user-writable DLLs from non-standard paths.
- Child processes spawned by Office applications shortly after a document is opened from an untrusted location.
Detection Strategies
- Monitor image load events (Sysmon Event ID 7) for Office binaries loading DLLs outside C:\Program Files\ and C:\Windows\System32\.
- Alert on Office processes executing cmd.exe, powershell.exe, rundll32.exe, or regsvr32.exe immediately after document open events.
- Correlate document opens from removable media or WebDAV shares with subsequent module loads from the same directory.
Monitoring Recommendations
- Enable Microsoft Defender Attack Surface Reduction rules that block Office child process creation and untrusted DLL loading.
- Forward Sysmon, EDR module-load, and process-creation telemetry to a centralized SIEM for retrospective hunting.
- Audit network shares and document libraries for orphaned or recently introduced DLL files adjacent to Office documents.
How to Mitigate CVE-2026-20943
Immediate Actions Required
- Apply the security updates referenced in the Microsoft Security Update Guide for CVE-2026-20943 to all affected Office, Office Deployment Tool, and SharePoint Server installations.
- Block opening Office documents directly from removable media, untrusted network shares, and email attachments without first saving them to a trusted location.
- Restrict write permissions on directories used to stage Office content so that standard users cannot drop DLLs alongside documents.
Patch Information
Microsoft has released fixes through the January 2026 security update cycle. Administrators should consult the Microsoft Security Update Guide for CVE-2026-20943 to identify the specific KB articles and build numbers applicable to each affected product channel and deploy them through Microsoft Update, WSUS, Intune, or SCCM.
Workarounds
- Enable the CWDIllegalInDllSearch registry policy to remove the current working directory from the DLL search order for Office processes.
- Configure Office Protected View and Mark-of-the-Web enforcement so documents from the internet and untrusted shares open in a restricted sandbox.
- Deploy AppLocker or Windows Defender Application Control policies that prevent Office applications from loading unsigned DLLs from user-writable locations.
# Configuration example: harden DLL search order for Office processes
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v CWDIllegalInDllSearch /t REG_DWORD /d 0xFFFFFFFF /f
# Block Office applications from creating child processes (ASR rule)
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
