PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42832 Microsoft CVE debrief

CVE-2026-42832 is a HIGH severity (CVSS 7.7) improper access control vulnerability in Microsoft Office that allows an unauthorized attacker to perform spoofing attacks locally. The vulnerability was published on 2026-05-12 and last modified on 2026-05-19. Affected products include Microsoft Excel for Android (versions prior to 16.0.19822.20190), Microsoft Word for Android (versions prior to 16.0.19822.20190), Microsoft Office 2024 LTSC for macOS, and Microsoft Office Long Term Servicing Channel 2021 for macOS. The CVSS vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) indicates local attack vector with low attack complexity, no privileges required, no user interaction, and high impact to confidentiality and integrity. Microsoft has released security updates to address this vulnerability. Organizations should prioritize patching affected Office installations, particularly on Android and macOS platforms, to prevent local spoofing attacks that could lead to information disclosure or integrity compromise.

Vendor
Microsoft
Product
Microsoft Excel for Android
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-12
Original CVE updated
2026-05-19
Advisory published
2026-05-12
Advisory updated
2026-05-19

Who should care

Organizations using Microsoft Office on Android or macOS platforms, particularly those with bring-your-own-device (BYOD) policies or shared workstation environments where local access controls are critical. Security teams responsible for endpoint protection and patch management should prioritize this vulnerability due to its HIGH severity and potential for confidentiality and integrity impact.

Technical summary

Improper access control in Microsoft Office allows unauthorized local attackers to perform spoofing attacks. Affects Excel and Word for Android (pre-16.0.19822.20190) and Office 2024/2021 LTSC for macOS. CVSS 7.7 (HIGH). Patches available.

Defensive priority

HIGH

Recommended defensive actions

  • Apply Microsoft security updates for affected Office products as referenced in the vendor advisory
  • Prioritize patching Microsoft Office installations on Android devices (Excel and Word) and macOS systems (Office 2024 LTSC and Office LTSC 2021)
  • Verify Android Office app versions are updated to 16.0.19822.20190 or later
  • Review local access controls on systems running affected Office products to limit exposure
  • Monitor for anomalous Office application behavior that may indicate spoofing attempts

Evidence notes

Vulnerability details sourced from NVD and Microsoft Security Response Center. CVSS score and vector confirmed via NVD. Affected product versions identified through CPE criteria in NVD record. Vendor advisory confirms patch availability.

Official resources

Official