CVE-2026-32197 Overview
CVE-2026-32197 is a use-after-free vulnerability [CWE-416] in Microsoft Office Excel that allows an unauthorized attacker to execute arbitrary code locally. The flaw affects multiple Office product lines, including Microsoft 365 Apps, Excel 2016, Office 2019, Office LTSC 2021 and 2024, and Office Online Server. Exploitation requires user interaction, typically through opening a crafted Excel document. Successful exploitation grants the attacker code execution in the context of the current user, compromising confidentiality, integrity, and availability of the host.
Critical Impact
A crafted spreadsheet can trigger memory corruption in Excel and run attacker-controlled code with the privileges of the logged-in user.
Affected Products
- Microsoft 365 Apps (Enterprise, x64 and x86)
- Microsoft Excel 2016, Microsoft Office 2019, Office LTSC 2021 and 2024 (including macOS)
- Microsoft Office Online Server
Discovery Timeline
- 2026-04-14 - CVE-2026-32197 published to the National Vulnerability Database (NVD)
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2026-32197
Vulnerability Analysis
The vulnerability is a use-after-free condition in Microsoft Office Excel's document parsing or object handling logic. Excel frees a memory object but retains a dangling pointer that is later dereferenced during continued processing. An attacker crafts a malicious workbook that triggers the object lifetime mismatch when opened. Reuse of the freed memory enables the attacker to control the contents at the dangling pointer's location. When Excel dereferences this pointer, attacker-controlled data is treated as a valid object, leading to local code execution in the user's session.
Root Cause
The root cause is improper memory lifetime management [CWE-416]. Excel releases a heap object while another code path still holds a reference. Subsequent operations on the stale reference dereference attacker-controlled memory, corrupting program state and redirecting execution flow.
Attack Vector
The attack vector is local and requires user interaction. An attacker delivers a malicious .xlsx, .xls, or related Excel file through email, a web download, a network share, or a collaboration platform. When a user opens the file, Excel parses the embedded structures and the use-after-free is triggered. The attacker gains code execution at the privilege level of the current user, which can then be used for persistence, credential theft, or lateral movement.
No public proof-of-concept exploit is available at this time, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Microsoft Security Update Guide for additional technical context.
Detection Methods for CVE-2026-32197
Indicators of Compromise
- Excel spawning unexpected child processes such as cmd.exe, powershell.exe, rundll32.exe, mshta.exe, or wscript.exe
- Excel processes writing executable files, scripts, or scheduled task artifacts to %APPDATA%, %TEMP%, or user profile directories
- Abnormal Excel crashes (EXCEL.EXE faulting modules in Windows Event ID 1000) shortly before suspicious process activity
- Outbound network connections from EXCEL.EXE to untrusted hosts immediately after document open
Detection Strategies
- Hunt for parent-child relationships where EXCEL.EXE spawns scripting interpreters or LOLBins
- Inspect inbound email attachments and downloaded spreadsheets for malformed records, embedded OLE objects, or obfuscated macros
- Correlate Microsoft Defender SmartScreen, Mark-of-the-Web, and Protected View bypass attempts on Office documents
Monitoring Recommendations
- Enable and centralize Microsoft Office telemetry, Windows Sysmon process creation, and image load events for EXCEL.EXE
- Alert on Excel processes loading unusual modules from user-writable paths
- Track patch compliance for Microsoft 365 Apps, Excel 2016, Office 2019, and Office LTSC 2021/2024 across the fleet
How to Mitigate CVE-2026-32197
Immediate Actions Required
- Apply the Microsoft security update referenced in the Microsoft Security Update Guide to all affected Office installations
- Verify that Microsoft 365 Apps update channels are current and that managed deployments have received the fix
- Block or quarantine Excel attachments from untrusted external senders at the mail gateway until patching is complete
Patch Information
Microsoft has released security updates for the affected Office products. Administrators should consult the vendor advisory at msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32197 and deploy the corresponding update for each affected channel, including Microsoft 365 Apps, Excel 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Office Online Server.
Workarounds
- Enforce Protected View and Office Application Guard for files originating from the internet or email
- Disable or restrict legacy file formats and external content using Office Trust Center and Group Policy
- Apply Attack Surface Reduction (ASR) rules to block Office applications from creating child processes and writing executable content
# Configuration example: enable ASR rules that limit Excel post-exploitation
Set-MpPreference -AttackSurfaceReductionRules_Ids `
D4F940AB-401B-4EFC-AADC-AD5F3C50688A `
-AttackSurfaceReductionRules_Actions Enabled
Set-MpPreference -AttackSurfaceReductionRules_Ids `
3B576869-A4EC-4529-8536-B80A7769E899 `
-AttackSurfaceReductionRules_Actions Enabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
