{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/excel/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-32198"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["use-after-free","excel","code-execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-32198 is a critical use-after-free vulnerability affecting Microsoft Office Excel. Discovered and reported on April 14, 2026, this vulnerability allows an unauthenticated, local attacker to execute arbitrary code on a target system. The vulnerability stems from improper memory management within Excel while processing malformed or specially crafted Excel files. Successful exploitation of this flaw could lead to complete system compromise, allowing attackers to install malware, steal sensitive data, or pivot to other systems within the network. This vulnerability impacts systems running vulnerable versions of Microsoft Office Excel.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Excel file designed to trigger the use-after-free vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious Excel file to the victim via social engineering.\u003c/li\u003e\n\u003cli\u003eThe victim opens the malicious Excel file using a vulnerable version of Microsoft Office Excel.\u003c/li\u003e\n\u003cli\u003eExcel attempts to access a memory location that has already been freed, triggering the vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the execution flow due to the use-after-free condition.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into the Excel process\u0026rsquo;s memory space.\u003c/li\u003e\n\u003cli\u003eThe injected code executes with the privileges of the user running Excel.\u003c/li\u003e\n\u003cli\u003eThe attacker can install malware, steal data, or perform other malicious activities on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32198 allows an attacker to execute arbitrary code on a vulnerable system. This can lead to complete system compromise, data theft, malware installation, and potentially further network compromise. Organizations that rely heavily on Excel for data processing and analysis are particularly at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch released by Microsoft to address CVE-2026-32198 on all systems running Microsoft Office Excel.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect potential exploitation attempts of CVE-2026-32198.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening suspicious or unexpected Excel files delivered via email or other means.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-excel-use-after-free/","summary":"CVE-2026-32198 is a use-after-free vulnerability in Microsoft Office Excel that allows an attacker to execute code locally on a vulnerable system.","title":"Microsoft Office Excel Use-After-Free Vulnerability (CVE-2026-32198)","url":"https://feed.craftedsignal.io/briefs/2026-04-excel-use-after-free/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-32189"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["use-after-free","code-execution","excel","cve-2026-32189"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-32189 is a use-after-free vulnerability affecting Microsoft Office Excel. This flaw can be exploited by an attacker to execute arbitrary code on a vulnerable system. The vulnerability arises from improper memory management within the application when handling specific Excel files. While the exact versions affected are not detailed, the vulnerability was reported on April 14, 2026. Successful exploitation requires a user to open a specially crafted Excel file, which triggers the use-after-free condition. This vulnerability is significant because it allows for local code execution, potentially leading to further compromise of the affected system. Defenders should prioritize patching vulnerable Excel installations and implement detection measures to identify potential exploitation attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious Excel file designed to trigger the use-after-free vulnerability (CVE-2026-32189).\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious Excel file to the victim via email or other means.\u003c/li\u003e\n\u003cli\u003eThe victim opens the malicious Excel file using a vulnerable version of Microsoft Excel.\u003c/li\u003e\n\u003cli\u003eExcel attempts to access a memory location that has already been freed, triggering the use-after-free condition.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the memory corruption to overwrite critical data structures in Excel\u0026rsquo;s memory space.\u003c/li\u003e\n\u003cli\u003eThe attacker redirects program execution to attacker-controlled code within the Excel process.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code with the privileges of the user running Excel.\u003c/li\u003e\n\u003cli\u003eThe attacker can then install malware, steal sensitive data, or perform other malicious actions on the local system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32189 allows an attacker to execute arbitrary code on the victim\u0026rsquo;s machine. This can lead to a complete compromise of the system, including data theft, malware installation, and privilege escalation. The vulnerability poses a significant risk to organizations that rely on Microsoft Excel for daily operations, as a single compromised user can provide a foothold for further attacks within the network. While specific victim counts are unavailable, the widespread use of Microsoft Excel suggests a potentially large attack surface.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update released by Microsoft to patch CVE-2026-32189 immediately (\u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32189)\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32189)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect potential exploitation attempts based on suspicious process creation and file activity.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual child processes spawned by Excel.exe, using \u003ccode\u003elogsource\u003c/code\u003e category \u003ccode\u003eprocess_creation\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor file access events for Excel accessing unusual locations or creating suspicious files, using \u003ccode\u003elogsource\u003c/code\u003e category \u003ccode\u003efile_event\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-excel-uaf/","summary":"CVE-2026-32189 is a use-after-free vulnerability in Microsoft Excel that allows a local attacker to execute arbitrary code by exploiting memory corruption.","title":"Microsoft Excel Use-After-Free Vulnerability (CVE-2026-32189)","url":"https://feed.craftedsignal.io/briefs/2026-04-excel-uaf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-32188"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["excel","out-of-bounds read","cve-2026-32188","information disclosure","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-32188 describes an out-of-bounds read vulnerability affecting Microsoft Office Excel. According to the NVD, this vulnerability allows an unauthorized attacker to disclose information locally. The CVSS v3.1 score is 7.1, indicating a high severity. The vulnerability resides within how Excel parses certain file formats, potentially allowing a malicious actor to craft a file that, when opened, causes Excel to read memory outside of allocated buffers. This can lead to the disclosure of sensitive information contained in the application\u0026rsquo;s memory space. While the source doesn\u0026rsquo;t specify affected versions or a specific attack campaign, successful exploitation requires user interaction to open the malicious file. Defenders should focus on detecting abnormal process behavior in Excel and promptly applying available patches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Excel file designed to trigger the out-of-bounds read vulnerability (CVE-2026-32188).\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the crafted Excel file to a victim via social engineering or other means.\u003c/li\u003e\n\u003cli\u003eThe victim opens the malicious Excel file.\u003c/li\u003e\n\u003cli\u003eExcel attempts to parse the malformed data structures within the file.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, Excel reads memory outside the intended buffer boundaries.\u003c/li\u003e\n\u003cli\u003eThe out-of-bounds read results in the disclosure of sensitive information from Excel\u0026rsquo;s memory.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the disclosed information, potentially containing sensitive data or internal application state.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the disclosed information for further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32188 can lead to the disclosure of sensitive information from the victim\u0026rsquo;s system. While the vulnerability is local, the disclosed information could include credentials, internal network details, or other sensitive data that could be used for further attacks. The number of potential victims is broad, encompassing any user of Microsoft Office Excel. The impact could range from minor data leaks to more significant compromises depending on the nature of the disclosed information.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update released by Microsoft to patch CVE-2026-32188 on all affected systems. Reference the Microsoft advisory linked in the references section for specific instructions.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Suspicious Excel Process Creation\u0026rdquo; to identify potentially malicious Excel activity.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual network connections originating from Excel processes after opening untrusted documents.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening unsolicited or suspicious Excel files to prevent initial access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-excel-oob-read/","summary":"An out-of-bounds read vulnerability in Microsoft Office Excel (CVE-2026-32188) allows a local attacker to potentially disclose sensitive information through a maliciously crafted Excel file.","title":"Microsoft Excel Out-of-Bounds Read Vulnerability (CVE-2026-32188)","url":"https://feed.craftedsignal.io/briefs/2026-04-excel-oob-read/"}],"language":"en","title":"CraftedSignal Threat Feed — Excel","version":"https://jsonfeed.org/version/1.1"}