Microsoft Excel Integer Underflow Vulnerability Leading to Remote Code Execution

An integer underflow vulnerability has been identified in Microsoft Office Excel, allowing an unauthorized attacker to execute code locally. This issue affects multiple versions of Excel, including Excel 2016 (both 32-bit and 64-bit editions), Office LTSC for Mac 2021 and 2024, Office 2019 (32-bit and 64-bit editions), and Microsoft 365 Apps for Enterprise (also in 32-bit and 64-bit versions). The vulnerability arises from an integer underflow, or wraparound, which can be exploited to execute arbitrary code.

Impact

Exploitation of this vulnerability allows for remote code execution.

Remediation

Users can download the security update for Microsoft Excel 2016 (both 32-bit and 64-bit editions) from the Microsoft Update Catalog. For Microsoft Office LTSC 2024 and 2021 for Mac, the security updates will be released as soon as possible, with customers being notified when they are available. Microsoft 365 Apps for Enterprise users can also download the security update through the Microsoft Update mechanism. Office Online Server users can download the security update from the Microsoft Update Catalog.