PatchSiren cyber security CVE debrief
CVE-2026-25180 Microsoft CVE debrief
CVE-2026-25180 is a medium-severity information disclosure flaw in the Microsoft Graphics Component. Microsoft and NVD describe it as an out-of-bounds read that can let an unauthorized attacker disclose information locally. The CVSS vector indicates local access, low attack complexity, no privileges required, and user interaction is required, with confidentiality impact only.
- Vendor
- Microsoft
- Product
- Microsoft Office for Android
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-10
- Original CVE updated
- 2026-03-13
- Advisory published
- 2026-03-10
- Advisory updated
- 2026-03-13
Who should care
Administrators and security teams responsible for Microsoft Windows endpoints and servers, plus environments using Microsoft Office for Android, should review whether their systems fall within the affected version ranges listed by NVD. Endpoint teams should prioritize devices where untrusted local users, shared workstations, or multi-user access patterns are common.
Technical summary
The issue is classified by Microsoft as CWE-125 (out-of-bounds read). The published CVSS 3.1 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, which means the attacker needs local access and some user interaction, but no prior privileges. NVD’s vulnerability data maps the issue across multiple Microsoft Windows client and server releases, as well as Microsoft Office for Android, with version-specific fixed builds. The security impact is information disclosure only; no integrity or availability impact is indicated in the supplied data.
Defensive priority
Moderate. This is not listed as a known exploited vulnerability in the supplied corpus, but the confidentiality impact is high and the affected surface is broad across Microsoft platforms. Patch planning should still be prompt, especially for shared or multi-user endpoints and servers that accept local logon activity.
Recommended defensive actions
- Check the Microsoft Security Response Center advisory for CVE-2026-25180 and confirm the exact fixed build for each affected platform.
- Inventory Windows client and server versions against the NVD CPE ranges to identify exposed endpoints and servers.
- Prioritize patching on systems with shared local access, kiosk-style use, or other multi-user environments where local disclosure risk is more relevant.
- Update Microsoft Office for Android to a build newer than the vulnerable range listed by NVD if that product is in use.
- Retest after remediation to confirm the affected build level is installed and no older image or rollback path remains in service.
Evidence notes
This debrief uses only the supplied CVE record, NVD-derived source item, and Microsoft vendor advisory link. The CVE was published on 2026-03-10 and modified on 2026-03-13. No KEV entry or ransomware campaign association is present in the supplied data. The NVD record identifies CWE-125 and the CVSS vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. NVD CPE criteria in the supplied source list multiple Microsoft Windows client and server releases plus Microsoft Office for Android with specific fixed build cutoffs.
Official resources
-
CVE-2026-25180 CVE record
CVE.org
-
CVE-2026-25180 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
Published by the CVE source on 2026-03-10T18:18:34.097Z; modified on 2026-03-13T17:40:01.323Z. No KEV date is listed in the supplied corpus.