Skip to content
Threat Feed
medium threat

CVE-2026-41102: Microsoft PowerPoint Improper Access Control Vulnerability Leading to Local Spoofing

CVE-2026-41102 is an improper access control vulnerability in Microsoft Office PowerPoint that allows an authorized attacker to perform spoofing locally.

CVE-2026-41102 describes an improper access control vulnerability affecting Microsoft Office PowerPoint. An authorized, local attacker can exploit this vulnerability to perform spoofing actions. The vulnerability exists due to insufficient checks on access rights within the application. Successful exploitation could allow the attacker to potentially mislead users or gain unauthorized privileges within the PowerPoint environment. Microsoft has released a patch to address this vulnerability, and users are urged to update their software to the latest version. This issue was publicly disclosed and assigned a CVSS v3.1 score of 7.1, indicating a high severity.

Attack Chain

  1. An attacker gains local access to a system with a vulnerable version of Microsoft PowerPoint installed.
  2. The attacker crafts a malicious PowerPoint file or modifies an existing one.
  3. The crafted file leverages the improper access control vulnerability (CVE-2026-41102) to manipulate application behavior.
  4. A legitimate user opens the malicious PowerPoint file.
  5. Due to the access control flaw, the attacker’s crafted content spoofs legitimate elements of the PowerPoint interface or functionality.
  6. The spoofed elements mislead the user into performing unintended actions, such as providing credentials or executing malicious code.
  7. The attacker achieves their objective of spoofing application behavior for malicious purposes.
  8. The impact is limited to the local machine and user context.

Impact

Successful exploitation of CVE-2026-41102 allows a local attacker to spoof elements within Microsoft PowerPoint. This spoofing could mislead users into divulging sensitive information or performing actions that compromise their local system. While the vulnerability does not lead to remote code execution or denial of service, the potential for social engineering attacks makes it a significant concern. The CVSS v3.1 base score of 7.1 reflects the high confidentiality and integrity impact on the local system.

Recommendation

  • Apply the security update released by Microsoft to patch CVE-2026-41102 in Microsoft Office PowerPoint.
  • Educate users about the risks of opening untrusted PowerPoint files from unknown sources.
  • Monitor endpoint logs for suspicious PowerPoint activity using the Sigma rule provided to detect potential exploitation attempts.

Detection coverage 2

Detects CVE-2026-41102 Exploitation Attempt — Suspicious PowerPoint Process Creation

medium

Detects potential exploitation attempts of CVE-2026-41102 by monitoring for unusual child processes spawned by PowerPoint.

sigma tactics: defense_evasion techniques: T1059.001 sources: process_creation, windows

Detects CVE-2026-41102 Exploitation Attempt — PowerPoint Creating Suspicious Files

medium

Detects potential exploitation attempts of CVE-2026-41102 by monitoring for unusual files created by PowerPoint.

sigma tactics: defense_evasion techniques: T1059.001 sources: file_event, windows

Detection queries are available on the platform. Get full rules →