PatchSiren cyber security CVE debrief
CVE-2022-41107 Microsoft CVE debrief
A remote code execution vulnerability in Microsoft Office Graphics allows an attacker to execute arbitrary code when a user opens a maliciously crafted file. The vulnerability requires user interaction and local attack vector, with high impact to confidentiality, integrity, and availability.
- Vendor
- Microsoft
- Product
- Microsoft Office 2019
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2022-11-09
- Original CVE updated
- 2026-05-19
- Advisory published
- 2022-11-09
- Advisory updated
- 2026-05-19
Who should care
Organizations running Microsoft Office 2019, Office LTSC 2021, or Microsoft 365 Apps for Enterprise should prioritize patching. Security teams should focus on endpoint protection and user awareness given the user-interaction requirement. Organizations with strict patch management cycles should expedite updates for this HIGH severity vulnerability.
Technical summary
CVE-2022-41107 is a remote code execution vulnerability in Microsoft Office Graphics. The vulnerability has a CVSS 3.1 score of 7.8 (HIGH) with the vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The attack requires a local vector with low complexity, no privileges, but user interaction—typically achieved through social engineering to convince a user to open a malicious file. Successful exploitation grants the attacker high impact across confidentiality, integrity, and availability. The vulnerability affects Microsoft 365 Apps for Enterprise, Office 2019 (Windows and macOS), and Office LTSC 2021 (Windows and macOS). The NVD weakness classification shows 'NVD-CWE-noinfo' indicating no specific CWE was provided. The vulnerability record was last modified on May 19, 2026, suggesting ongoing curation or updates to the entry.
Defensive priority
high
Recommended defensive actions
- Apply security updates from Microsoft for affected Office products as referenced in the Microsoft Security Response Center guidance
- Prioritize patching for systems running Microsoft 365 Apps for Enterprise, Office 2019, and Office LTSC 2021
- Implement attack surface reduction rules to block Office applications from creating child processes
- Enable Microsoft Defender Application Guard for Office to isolate untrusted documents
- Educate users on phishing risks and safe handling of documents from untrusted sources
- Consider implementing Microsoft Defender for Office 365 for additional protection against malicious attachments
Evidence notes
The vulnerability affects multiple Microsoft Office products including Microsoft 365 Apps for Enterprise, Office 2019 (Windows and macOS), and Office LTSC 2021 (Windows and macOS). The CVSS 3.1 vector indicates a local attack vector with low attack complexity, requiring no privileges but user interaction. The NVD record shows vulnerability status as 'Modified' as of May 19, 2026.
Official resources
-
CVE-2022-41107 CVE record
CVE.org
-
CVE-2022-41107 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Microsoft disclosed this vulnerability on November 9, 2022, as part of their monthly security update cycle. The vulnerability was subsequently modified in the NVD record on May 19, 2026.