CVE-2026-56193
Received Received - Intake

Out-of-bounds Read in Microsoft Office

Vulnerability report for CVE-2026-56193, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: Microsoft Corporation

Description

Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
microsoft office *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56193 is an out-of-bounds read vulnerability in Microsoft Office. This flaw allows an unauthorized attacker to locally disclose sensitive information from the affected system.

An out-of-bounds read occurs when a program reads data beyond the intended boundary of a buffer or memory location. In this case, the vulnerability could enable an attacker to access and extract information that they should not have permission to view.

The vulnerability is classified with a CVSS v3.1 BaseScore of 7.1, indicating a high severity for confidentiality impacts but no integrity or availability impacts. The attack vector is local, meaning the attacker must have access to the system to exploit it.

Impact Analysis

This vulnerability can impact you in several ways if you use an affected version of Microsoft Office.

  • Unauthorized disclosure of sensitive information: An attacker could exploit this flaw to access and extract confidential data stored on your system, such as documents, emails, or other sensitive files.
  • Local access requirement: The attacker must have local access to your system to exploit this vulnerability, which means physical access or prior compromise of the system may be necessary.
  • Potential for further attacks: The disclosed information could be used as a stepping stone for additional attacks, such as phishing, identity theft, or lateral movement within a network.

The impact is primarily on confidentiality, as the vulnerability does not allow for data modification or system disruption.

Compliance Impact

This vulnerability could affect compliance with several common standards and regulations, depending on the nature of the data processed or stored by the affected Microsoft Office installation.

  • GDPR (General Data Protection Regulation): If the disclosed information includes personal data of EU citizens, this vulnerability could lead to a data breach. Under GDPR, organizations must implement appropriate security measures to protect personal data. Failure to patch this vulnerability could result in non-compliance, leading to potential fines and reputational damage.
  • HIPAA (Health Insurance Portability and Accountability Act): If the affected system processes or stores protected health information (PHI), exploitation of this vulnerability could result in unauthorized disclosure of PHI. This would constitute a breach under HIPAA, requiring notification and potentially leading to penalties.
  • Other regulations: Depending on the industry, other standards such as PCI DSS (for payment card data) or sector-specific regulations may also be impacted if the disclosed information falls under their scope.

Organizations should assess the types of data processed by the affected systems and determine their compliance obligations. Patching the vulnerability promptly is critical to maintaining compliance and avoiding potential legal or financial consequences.

Detection Guidance

The provided context does not include specific detection methods or commands for identifying CVE-2026-56193 on a network or system. Detection typically involves checking for vulnerable versions of Microsoft Office or using security tools that can identify out-of-bounds read vulnerabilities in installed software.

To detect vulnerable versions of Microsoft Office, you may use system inventory tools or scripts to check the installed version. For example, on Windows, you can use the following command in PowerShell to list installed Office versions:

  • Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object { $_.DisplayName -like "*Microsoft Office*" } | Select-Object DisplayName, DisplayVersion

Additionally, Microsoft may provide detection guidance or tools in their official security updates or advisories. Refer to the Microsoft Security Response Center (MSRC) for any available detection scripts or tools.

Mitigation Strategies

To mitigate CVE-2026-56193, apply the latest security updates provided by Microsoft for the affected versions of Microsoft Office. The following steps are recommended:

  • Visit the Microsoft Update Guide for CVE-2026-56193 to download and install the latest patches.
  • Ensure automatic updates are enabled for Microsoft Office to receive future security fixes promptly.
  • If patching is not immediately possible, consider restricting access to Microsoft Office applications for untrusted users or files until the update is applied.
  • Monitor Microsoft’s official communications for additional mitigation advice or workarounds.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56193. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart