CVE-2026-42831 Microsoft CVE debrief

Who should care

Administrators and security teams managing Microsoft Office on Android or macOS should prioritize this issue, especially where users can open untrusted files or documents.

Technical summary

The official record classifies the weakness as CWE-122 (heap-based buffer overflow) with CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. That indicates exploitation depends on local access conditions and user interaction, but successful exploitation could have high impact across confidentiality, integrity, and availability. NVD lists vulnerable Office CPEs including Android builds before 16.0.19822.20190 and Office 2024 LTSC / Office LTSC 2021 for macOS.

Defensive priority

High. The combination of code execution potential and affected productivity software makes this important to patch promptly on exposed endpoints.

Recommended defensive actions

• Review the Microsoft Security Response Center advisory for CVE-2026-42831 and confirm whether your Office builds are affected.
• Prioritize updates for Microsoft Office on Android and macOS, including the versions and product lines listed in NVD.
• Validate installed Office versions against the published vulnerable ranges, especially Android builds below 16.0.19822.20190.
• Reduce exposure to untrusted documents and enforce standard endpoint protections while remediation is underway.
• Re-scan managed devices after patching to confirm the vulnerable versions are removed.

Evidence notes

Based on the official NVD record and Microsoft’s linked advisory. NVD states vulnStatus 'Analyzed', weakness CWE-122, CVSS vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and lists vulnerable Office CPEs for Android and macOS. No exploit details or vendor remediation steps beyond the presence of the advisory link are included.

Official resources