PatchSiren

PatchSiren cyber security CVE debrief

CVE-2021-42295 Microsoft CVE debrief

CVE-2021-42295 is a Visual Basic for Applications (VBA) information disclosure vulnerability affecting multiple Microsoft Office products. Published on December 15, 2021, this vulnerability carries a CVSS 3.1 score of 5.5 (MEDIUM severity) with the vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The vulnerability requires local attack vector and user interaction, but can result in high confidentiality impact. Affected products include Microsoft 365 Apps for Enterprise (x64 and x86), Office 2013 SP1 (x64, x86, and RT), Office 2016 (x64 and x86), Office 2019 (x64 and x86), and Office LTSC 2021 (x64 and x86). The vulnerability was last modified on May 19, 2026, per NVD records. Microsoft has released security updates addressing this vulnerability. Organizations should apply the available patches from Microsoft to remediate this information disclosure risk in VBA environments.

Vendor
Microsoft
Product
Microsoft Office 2019
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2021-12-15
Original CVE updated
2026-05-19
Advisory published
2021-12-15
Advisory updated
2026-05-19

Who should care

Organizations running Microsoft Office with VBA enabled, particularly those processing documents from external sources. Security teams managing Office patch compliance and endpoint protection configurations.

Technical summary

Local attack vector vulnerability in Visual Basic for Applications enabling information disclosure with high confidentiality impact. Requires user interaction. Affects multiple Office versions from 2013 through 2021.

Defensive priority

medium

Recommended defensive actions

  • Apply Microsoft security updates for affected Office versions per vendor advisory
  • Review VBA macro execution policies and restrict untrusted document sources
  • Monitor for anomalous VBA-related process behavior on endpoints
  • Validate Office patch levels across enterprise deployments

Evidence notes

CVE published 2021-12-15; modified 2026-05-19. CVSS 3.1: 5.5 MEDIUM. Affected: Microsoft 365 Apps Enterprise, Office 2013 SP1, 2016, 2019, LTSC 2021. Microsoft advisory confirms patch availability.

Official resources

2021-12-15