CVE-2026-41102 Overview
CVE-2026-41102 is an improper access control vulnerability in Microsoft Office PowerPoint. The flaw allows an authorized local attacker to perform spoofing operations on an affected system. Microsoft assigned a CVSS 3.1 base score of 5.5 with the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N, indicating a high impact to integrity. The vulnerability is tracked under CWE-284: Improper Access Control and affects the PowerPoint application on Android.
Critical Impact
An authenticated local attacker can manipulate PowerPoint content or interface elements to spoof trusted data, undermining integrity for users who rely on the displayed information.
Affected Products
- Microsoft PowerPoint for Android
- Microsoft Office PowerPoint (mobile platform variants identified in vendor advisory)
- See Microsoft Security Response Center advisory for the complete product list
Discovery Timeline
- 2026-05-12 - CVE-2026-41102 published to NVD
- 2026-05-16 - Last updated in NVD database
Technical Details for CVE-2026-41102
Vulnerability Analysis
The vulnerability stems from improper access control within Microsoft PowerPoint. PowerPoint fails to correctly enforce permission boundaries on certain resources or interface components. An authorized attacker with local access can leverage this gap to present spoofed content as legitimate.
The Microsoft advisory classifies the issue as a spoofing vulnerability. The CVSS vector indicates no impact to confidentiality or availability, but a high impact to integrity. Attackers can therefore alter the trustworthiness of displayed information without exfiltrating data or causing denial of service.
Exploitation requires the attacker to already hold low privileges on the device. No user interaction is required to trigger the flaw once the attacker has local access. The scope is unchanged, meaning the impact remains confined to the PowerPoint security context.
Root Cause
The root cause maps to CWE-284: Improper Access Control. PowerPoint does not adequately restrict access to a resource or operation that should be limited to higher-privileged components. This deficiency lets a local actor manipulate content paths or interface state that downstream code treats as trusted.
Attack Vector
The attack vector is local. An authorized user on the device interacts with PowerPoint resources that the application fails to gate behind proper access checks. The attacker uses this gap to present misleading content, file properties, or interface elements to the victim. Because the Android CPE is listed, mobile deployments are the primary at-risk surface where multi-user or shared-device contexts magnify the spoofing impact.
No public proof-of-concept code, exploit module, or CISA KEV listing exists for CVE-2026-41102 at the time of writing. The EPSS score sits at 0.039%, reflecting low predicted exploitation activity.
Detection Methods for CVE-2026-41102
Indicators of Compromise
- Unexpected modifications to PowerPoint files, embedded objects, or metadata on shared Android devices
- Presentations rendering content that does not match the underlying file on disk
- PowerPoint process activity from non-standard user contexts on managed mobile endpoints
Detection Strategies
- Monitor mobile device management (MDM) telemetry for unauthorized PowerPoint configuration or file changes
- Compare installed PowerPoint build numbers across the fleet against the Microsoft-fixed version listed in the advisory
- Review audit logs for local privilege use targeting Office application data directories on Android
Monitoring Recommendations
- Centralize Microsoft 365 mobile app inventory data to flag devices running pre-patch PowerPoint builds
- Alert on shared-device sessions where multiple users access the same Office documents in short succession
- Track file integrity for .pptx artifacts stored in synchronized OneDrive or SharePoint locations
How to Mitigate CVE-2026-41102
Immediate Actions Required
- Update Microsoft PowerPoint for Android to the fixed version published in the Microsoft Security Response Center advisory
- Enforce mobile device management policies that require automatic Office app updates from the Google Play Store
- Restrict installation of PowerPoint on unmanaged or shared devices until patching is verified
Patch Information
Microsoft has published the official remediation guidance and updated builds through the MSRC update guide for CVE-2026-41102. Administrators should consult that advisory for the specific version numbers and deployment instructions applicable to their environment.
Workarounds
- Limit local access to devices running vulnerable PowerPoint builds, particularly shared or kiosk-mode tablets
- Require multi-user separation on Android devices so that PowerPoint sessions cannot be reused across accounts
- Educate users to verify presentation content against the source file before acting on displayed information
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
