CVE-2026-42831 Overview
CVE-2026-42831 is a heap-based buffer overflow vulnerability in Microsoft Office that allows an unauthorized attacker to execute code locally. The flaw is categorized under CWE-122 and affects Microsoft Office across Android and macOS Long-Term Servicing Channel (LTSC) editions. Successful exploitation requires user interaction, typically opening a crafted document. The attacker gains the ability to run arbitrary code in the context of the current user, leading to a complete compromise of confidentiality, integrity, and availability on the target host.
Critical Impact
An attacker who convinces a user to open a malicious Office document can execute arbitrary code locally with the privileges of the logged-in user.
Affected Products
- Microsoft Office for Android
- Microsoft Office LTSC 2021 for macOS
- Microsoft Office LTSC 2024 for macOS
Discovery Timeline
- 2026-05-12 - CVE-2026-42831 published to the National Vulnerability Database (NVD)
- 2026-05-16 - Last updated in NVD database
Technical Details for CVE-2026-42831
Vulnerability Analysis
The vulnerability is a heap-based buffer overflow in Microsoft Office document parsing. When Office processes a crafted file, it writes data past the bounds of a heap-allocated buffer. The out-of-bounds write corrupts adjacent heap metadata or object pointers within the Office process address space.
An attacker can shape the heap so that the overflow overwrites a function pointer, virtual table entry, or other control-flow primitive. Once that corrupted structure is dereferenced, execution transfers to attacker-controlled code. Because the affected process runs as the interactive user, the attacker inherits that user's permissions, including access to local files, mailboxes, and authenticated cloud sessions.
The vulnerability impacts Microsoft Office on Android and the LTSC 2021 and 2024 builds on macOS, which indicates the defective parser is in shared cross-platform code rather than a Windows-only component.
Root Cause
The root cause is improper validation of size or length values during deserialization of structured content from an Office document. The code allocates a heap buffer based on one field but copies a larger quantity of bytes derived from attacker-controlled input, producing the overflow characteristic of [CWE-122].
Attack Vector
Exploitation is local and requires user interaction. The attacker delivers a crafted Office file through email, messaging, a cloud share, or a website. When the victim opens the file in a vulnerable Office build, the parser triggers the overflow and the embedded payload runs without further prompts. No prior authentication on the target system is required by the attacker.
No public proof-of-concept exploit and no confirmed in-the-wild exploitation have been reported for CVE-2026-42831 at the time of writing. The EPSS probability is 0.058%.
Detection Methods for CVE-2026-42831
Indicators of Compromise
- Office applications (winword, excel, powerpnt, or their macOS/Android equivalents) spawning unexpected child processes such as shells, scripting interpreters, or curl/wget.
- Office processes writing executable content to user-writable paths (for example ~/Library/LaunchAgents, ~/Downloads, or Android app sandboxes) shortly after opening a document.
- Crash or Watson telemetry showing heap corruption faults in Office binaries when opening a specific attachment.
Detection Strategies
- Hunt for anomalous process lineage where an Office application is the parent of a network or scripting utility on macOS and Android-managed endpoints.
- Inspect mail gateways and collaboration platforms for Office documents with malformed embedded objects or unusually large structured streams that may trigger the overflow.
- Correlate Office process crashes with subsequent outbound network connections to previously unseen domains.
Monitoring Recommendations
- Forward endpoint process, file, and network telemetry from macOS and mobile fleets into a centralized analytics platform for retroactive hunting.
- Alert on first-seen child processes of Office applications across the environment.
- Track Office version inventory to identify hosts still running pre-patch LTSC 2021, LTSC 2024 (macOS), or Android builds.
How to Mitigate CVE-2026-42831
Immediate Actions Required
- Apply the Microsoft security update referenced in the Microsoft Security Update CVE-2026-42831 advisory to all affected Office installations.
- Prioritize patching for users who routinely open documents from external senders.
- Block or quarantine inbound Office attachments from untrusted sources at the mail gateway until patches are deployed.
Patch Information
Microsoft has published guidance and updates for CVE-2026-42831 in its update guide. Administrators should reference the Microsoft Security Update CVE-2026-42831 advisory for the exact fixed build numbers for Microsoft Office on Android, Office LTSC 2021 for macOS, and Office LTSC 2024 for macOS, then deploy through the relevant management channel (Microsoft AutoUpdate for macOS or the Google Play managed channel for Android).
Workarounds
- Enable Protected View and disable automatic opening of files from internet or email sources where supported by the platform.
- Restrict execution of Office macros and embedded content using mobile device management (MDM) and macOS configuration profiles.
- Train users to avoid opening unsolicited Office documents and to report suspicious attachments.
# Configuration example: force Microsoft AutoUpdate to check and install Office updates on macOS
/Library/Application\ Support/Microsoft/MAU2.0/Microsoft\ AutoUpdate.app/Contents/MacOS/msupdate \
--install --apps MSWD2019 MSXL2019 MSPP2019 MSOL2019
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
