{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/office-excel/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-40362"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office Excel"],"_cs_severities":["high"],"_cs_tags":["cve","heap-based buffer overflow","excel","code execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-40362 is a heap-based buffer overflow vulnerability affecting Microsoft Office Excel. This vulnerability allows an attacker with local access to execute arbitrary code. An unauthenticated attacker could exploit this vulnerability by crafting a malicious Excel file. User interaction is required, as the user must open the specially crafted file. Successful exploitation could lead to arbitrary code execution in the context of the current user. Defenders should prioritize patching this vulnerability to prevent potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious Excel file (.xls or .xlsx) designed to trigger the heap-based buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious file to the target user. This could be via a shared network drive, removable media, or social engineering.\u003c/li\u003e\n\u003cli\u003eThe target user opens the malicious Excel file with Microsoft Office Excel.\u003c/li\u003e\n\u003cli\u003eExcel parses the malicious file, triggering the heap-based buffer overflow when processing a specific data structure within the file.\u003c/li\u003e\n\u003cli\u003eThe overflow allows the attacker to overwrite adjacent memory regions on the heap, potentially gaining control of program execution.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the memory corruption to inject and execute malicious code within the Excel process.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code executes with the privileges of the user who opened the file, allowing for local code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions such as installing malware, exfiltrating data, or further compromising the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40362 allows an attacker to execute arbitrary code on the victim\u0026rsquo;s machine. Due to the local nature of the attack, the impact is limited to the compromised system. An attacker can leverage this vulnerability to gain a foothold on the system, potentially leading to data theft, malware installation, or further lateral movement within the network, depending on the user\u0026rsquo;s privileges.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update provided by Microsoft to patch CVE-2026-40362 in Microsoft Office Excel.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Excel File Execution\u0026rdquo; to identify potential exploitation attempts based on process creation events.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening untrusted or unsolicited Excel files.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for unusual or unexpected child processes spawned by Excel, as detected by \u0026ldquo;Detect Suspicious Excel Spawning\u0026rdquo;.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T18:35:04Z","date_published":"2026-05-12T18:35:04Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40362/","summary":"A heap-based buffer overflow vulnerability, identified as CVE-2026-40362, exists in Microsoft Office Excel, allowing an unauthenticated attacker with local access to execute arbitrary code.","title":"CVE-2026-40362: Microsoft Excel Heap-based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40362/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-40360"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office Excel"],"_cs_severities":["medium"],"_cs_tags":["cve","information-disclosure","excel"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-40360 is a security vulnerability affecting Microsoft Office Excel. This out-of-bounds read vulnerability allows an unauthorized attacker to potentially disclose sensitive information locally. Exploitation of this vulnerability requires local access and user interaction as a prerequisite. This vulnerability was reported to Microsoft and assigned a CVSS base score of 7.8, indicating a high severity level. Successful exploitation results in information disclosure, though the scope of disclosure and potential impact on confidentiality is not detailed in the advisory.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious Excel file containing specific data structures designed to trigger the out-of-bounds read condition.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the crafted Excel file to the victim through social engineering.\u003c/li\u003e\n\u003cli\u003eThe victim opens the malicious Excel file using a vulnerable version of Microsoft Office Excel.\u003c/li\u003e\n\u003cli\u003eExcel attempts to read data from a memory location outside the intended buffer due to the crafted file.\u003c/li\u003e\n\u003cli\u003eThe out-of-bounds read occurs, potentially disclosing sensitive data from adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eThe disclosed data is then accessible to the attacker, who can analyze it for sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40360 allows an attacker to disclose information locally. The CVSS score of 7.8 suggests that, while local access and user interaction are required, the potential impact on confidentiality is high. The advisory does not specify the type or amount of information that can be disclosed or the number of potential victims, but the impact could include exposure of sensitive data within the Excel file or from other memory locations accessible to the Excel process.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update released by Microsoft to address CVE-2026-40360 as referenced in the advisory URL.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Excel Out-of-Bounds Read via Formula\u0026rdquo; to identify potential exploitation attempts based on formula patterns in Excel files.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging to monitor for suspicious Excel processes as detected by the \u0026ldquo;Detect Suspicious Excel Process Creation\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T18:34:32Z","date_published":"2026-05-12T18:34:32Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40360-excel-oob-read/","summary":"CVE-2026-40360 is an out-of-bounds read vulnerability in Microsoft Office Excel that allows an unauthorized attacker to disclose sensitive information locally.","title":"CVE-2026-40360: Microsoft Excel Out-of-Bounds Read Information Disclosure","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40360-excel-oob-read/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-40359"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office Excel"],"_cs_severities":["high"],"_cs_tags":["use-after-free","code execution","excel"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-40359 is a use-after-free (UAF) vulnerability affecting Microsoft Office Excel. This vulnerability allows an unauthorized, local attacker to execute arbitrary code. The vulnerability exists due to improper handling of memory objects within Excel, leading to a situation where freed memory is accessed again. Successful exploitation allows the attacker to gain control over the affected system. This vulnerability was published on May 12, 2026, and poses a significant risk to systems running vulnerable versions of Microsoft Excel. An attacker could potentially leverage this vulnerability to install malware, steal sensitive data, or perform other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious Excel file designed to trigger the use-after-free condition.\u003c/li\u003e\n\u003cli\u003eThe victim opens the specially crafted Excel file.\u003c/li\u003e\n\u003cli\u003eExcel attempts to access a memory location that has already been freed.\u003c/li\u003e\n\u003cli\u003eThe use-after-free condition leads to memory corruption.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the memory corruption to overwrite critical data structures within the Excel process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the program counter by overwriting a function pointer or similar mechanism.\u003c/li\u003e\n\u003cli\u003eThe attacker redirects execution flow to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code within the context of the Excel process, potentially gaining local code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40359 allows an attacker to execute arbitrary code locally on a targeted system. Given the ubiquitous use of Microsoft Excel in various sectors, a successful exploit can lead to significant damage, including data theft, malware installation, and potential system compromise. The CVSS v3.1 base score of 7.8 reflects the high potential impact, especially considering the ease of local exploitation if a user opens a malicious Excel file.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update provided by Microsoft to patch CVE-2026-40359 in Microsoft Office Excel as soon as possible, as referenced in the provided URL.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Excel Use-After-Free via Suspicious Process Creation\u003c/code\u003e to identify potential exploitation attempts based on unusual processes spawned by Excel.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging to capture events necessary for the Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T18:34:19Z","date_published":"2026-05-12T18:34:19Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40359-excel-uaf/","summary":"CVE-2026-40359 is a use-after-free vulnerability in Microsoft Office Excel that allows a local attacker to execute arbitrary code by exploiting memory corruption.","title":"CVE-2026-40359: Microsoft Excel Use-After-Free Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40359-excel-uaf/"}],"language":"en","title":"CraftedSignal Threat Feed — Office Excel","version":"https://jsonfeed.org/version/1.1"}