CVE-2026-35436 Overview
CVE-2026-35436 is a local privilege escalation vulnerability in Microsoft Office Click-To-Run (C2R). The flaw stems from insufficient granularity of access control [CWE-1220] within the Click-To-Run service, which manages installation and update operations for Microsoft Office products. An authorized attacker with low-privilege access to a target system can abuse the service to elevate privileges locally.
The vulnerability impacts confidentiality, integrity, and availability, and its scope is marked as changed, meaning successful exploitation affects resources beyond the vulnerable component. Microsoft published an advisory through the Security Response Center on May 12, 2026.
Critical Impact
A local authenticated attacker can leverage Microsoft Office Click-To-Run to gain higher privileges, potentially reaching SYSTEM-level execution on affected Windows hosts.
Affected Products
- Microsoft Office Click-To-Run
- Microsoft Office products distributed via the Click-To-Run installer
- Windows endpoints with vulnerable Click-To-Run components installed
Discovery Timeline
- 2026-05-12 - CVE-2026-35436 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-35436
Vulnerability Analysis
The vulnerability resides in the Microsoft Office Click-To-Run service, which provides streaming installation, configuration, and update functionality for Office. The service runs with elevated privileges to perform package operations and apply updates across the system. Insufficient granularity of access control [CWE-1220] means that the service does not enforce sufficiently fine-grained checks between callers and the privileged operations it exposes.
A low-privileged local user can invoke privileged operations or interact with resources that should be restricted to higher-privileged contexts. The CVSS scope component is rated as changed, indicating that exploitation crosses a security boundary and affects components other than the vulnerable service. Successful exploitation yields high impact across confidentiality, integrity, and availability on the target host.
Root Cause
The root cause is overly broad authorization within the Click-To-Run service. Access control decisions do not separate privileged maintenance functions from operations that ordinary users may legitimately request. This design weakness allows a standard user context to reach code paths that should require administrative privileges.
Attack Vector
Exploitation requires local access to the system and valid low-privileged credentials. No user interaction is required beyond the attacker's own session. The attacker interacts with the Click-To-Run service interface to trigger a privileged operation that should have been gated by stricter access controls. A successful attack results in code execution or file operations under a higher-privileged context, enabling full host compromise. See the Microsoft Security Update for CVE-2026-35436 for the vendor's technical description.
Detection Methods for CVE-2026-35436
Indicators of Compromise
- Unexpected child processes spawned by OfficeClickToRun.exe running as SYSTEM or another elevated account.
- File writes or modifications under Click-To-Run package directories by non-administrative users.
- Service control or named-pipe interactions with the Click-To-Run service originating from standard user contexts.
Detection Strategies
- Hunt for privilege transitions where a low-integrity process triggers a Click-To-Run operation that results in SYSTEM-level activity.
- Alert on creation of new scheduled tasks, services, or persistence mechanisms shortly after Click-To-Run service interactions.
- Correlate Office update or repair events with subsequent execution of non-Office binaries from writable paths.
Monitoring Recommendations
- Enable Windows process creation auditing (Event ID 4688) with command-line logging on systems running Microsoft Office.
- Monitor Sysmon Event IDs 1, 7, and 11 for unusual module loads and file operations associated with the Click-To-Run process tree.
- Review endpoint telemetry for anomalous tokens or impersonation events tied to the Click-To-Run service.
How to Mitigate CVE-2026-35436
Immediate Actions Required
- Apply the Microsoft security update referenced in the MSRC advisory for CVE-2026-35436 to all Office installations.
- Inventory endpoints running Microsoft Office Click-To-Run and prioritize patching of multi-user systems and privileged workstations.
- Restrict interactive local logon on shared hosts to reduce the population of users able to exploit local privilege escalation.
Patch Information
Microsoft addressed CVE-2026-35436 through its standard Office update channel. Click-To-Run installations typically receive updates automatically, but administrators should confirm that the current Office build matches the fixed version listed in the MSRC advisory. Air-gapped or update-deferred environments must trigger the update manually through the Office Deployment Tool.
Workarounds
- Limit local logon rights and remove standard users from systems where Office Click-To-Run is installed until patching completes.
- Enforce application control policies that restrict execution of binaries from user-writable paths invoked by Click-To-Run.
- Disable unattended sessions and increase monitoring on shared or kiosk endpoints where local access is unavoidable.
# Verify the installed Click-To-Run version on a Windows host
reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /v VersionToReport
# Force an Office update via the Click-To-Run client
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /update user
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
