CVE-2026-42832 Overview
CVE-2026-42832 is an improper access control vulnerability in Microsoft Office that allows a local, authenticated attacker to perform spoofing. The flaw is tracked under CWE-284 and affects Microsoft Excel, Microsoft Word, and Microsoft Office across Android and macOS distributions. Microsoft published the advisory on May 12, 2026. Exploitation requires local access and low privileges with no user interaction, and the issue primarily impacts integrity rather than confidentiality or availability.
Critical Impact
A local attacker with low privileges can leverage improper access control in Microsoft Office to spoof trusted content, potentially deceiving users and altering integrity-protected workflows.
Affected Products
- Microsoft Excel (Android)
- Microsoft Office 2021 and 2024 LTSC for macOS
- Microsoft Word (Android)
Discovery Timeline
- 2026-05-12 - CVE-2026-42832 published to NVD
- 2026-05-16 - Last updated in NVD database
Technical Details for CVE-2026-42832
Vulnerability Analysis
The vulnerability stems from improper access control [CWE-284] within Microsoft Office components on Android and macOS LTSC builds. An attacker with local access and low-level privileges can bypass intended access restrictions to perform spoofing actions. Because the issue does not require user interaction, an attacker who already has a foothold on the device can leverage it as part of a chained attack.
The CVSS vector indicates a high integrity impact with no effect on confidentiality or availability. This profile is consistent with spoofing flaws where the attacker can present manipulated content as legitimate without exposing data or crashing the application.
Root Cause
The root cause is insufficient enforcement of access control checks in Office application logic. The affected components do not adequately validate the source or trust context of certain operations, allowing locally executed code to influence content rendering or document properties in ways that misrepresent legitimacy to the user.
Attack Vector
Exploitation requires local access (AV:L) and a user account with low privileges (PR:L). No user interaction is needed. An attacker who has already executed code on the target device, for example through a malicious application on Android or a sideloaded payload on macOS, can invoke the vulnerable Office functionality to spoof document content or interface elements that users rely on for trust decisions.
No public proof-of-concept is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS score is 0.041%, indicating a low probability of exploitation in the near term.
Detection Methods for CVE-2026-42832
Indicators of Compromise
- Unexpected Microsoft Office processes spawning from non-standard user directories on macOS or Android sandbox paths.
- Office documents displaying inconsistent metadata, signatures, or author information compared to their source of origin.
- Local applications writing to Office configuration or template directories without administrative context.
Detection Strategies
- Monitor endpoint telemetry for anomalous local process activity invoking Excel, Word, or Office binaries on Android and macOS LTSC installations.
- Correlate document open events with parent process lineage to identify spoofed content originating from untrusted local applications.
- Apply file integrity monitoring to Office template, add-in, and shared component directories.
Monitoring Recommendations
- Track installed Office versions across managed mobile and macOS endpoints and flag unpatched builds.
- Alert on local privilege use that interacts with Office IPC channels or document handlers.
- Review mobile device management (MDM) logs for Office app updates and configuration drift on Android.
How to Mitigate CVE-2026-42832
Immediate Actions Required
- Apply the security update referenced in the Microsoft Security Update CVE-2026-42832 advisory to all affected Excel, Word, and Office installations.
- Inventory macOS LTSC 2021 and 2024 deployments and Android Office app versions to confirm patch coverage.
- Restrict installation of untrusted local applications on devices running Microsoft Office.
Patch Information
Microsoft has released updates addressing CVE-2026-42832. Refer to the Microsoft Security Update CVE-2026-42832 advisory for product-specific build numbers and deployment guidance for Excel on Android, Word on Android, and Office 2021 and 2024 LTSC for macOS.
Workarounds
- Enforce application allowlisting on macOS endpoints to limit which local processes can interact with Office applications.
- Use MDM policies on Android to restrict sideloading and require Office apps to be installed only from approved stores.
- Educate users to verify document origin and metadata before acting on integrity-sensitive content received locally.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
