CVE-2026-20944, CVE-2026-20955, and CVE-2026-20957 are critical remote code execution vulnerabilities affecting Microsoft Word and Microsoft Excel, posing a significant risk to organizations that rely on Microsoft Office for daily operations.
CVE-2026-20944 impacts Microsoft Word and carries a CVSS score of 8.4. The vulnerability stems from an out-of-bounds read weakness in Word’s document processing components. An attacker can exploit this flaw by sending a specially crafted Word document to a victim. If the file is opened, or even previewed using the Windows Preview Pane, arbitrary code can be executed under the context of the logged-in user, making this vulnerability particularly dangerous in enterprise environments.
CVE-2026-20955 and CVE-2026-20957 affect Microsoft Excel, each with a CVSS score of 7.8. These flaws are caused by an untrusted pointer dereference and an integer underflow that leads to a heap-based buffer overflow, respectively. Successful exploitation requires a user to open a malicious Excel file; however, unlike the Word vulnerability, the Preview Pane cannot be used as an attack vector.
All three vulnerabilities can be leveraged by unauthenticated attackers to gain code execution, emphasizing the importance of timely patching, user awareness, and enhanced endpoint monitoring to reduce exploitation risk.
Microsoft Office Suite
- Microsoft Word
- Affected by CVE-2026-20944
- Microsoft Excel
- Affected by CVE-2026-20955
- Affected by CVE-2026-20957
How These Vulnerabilities Are Exploited (Plain Explanation)
CVE-2026-20944 – Microsoft Word
This flaw exists due to an out-of-bounds read in Word’s document parsing logic. A malicious Word file is crafted so that when Word processes certain internal structures, it reads memory outside of the intended buffer. This can corrupt execution flow and allow attacker-controlled code to run.
Important detail:
The Preview Pane in Windows Explorer can trigger the vulnerability. This means a user may be compromised without explicitly opening the document, simply by selecting it.
CVE-2026-20955 – Microsoft Excel
This vulnerability is caused by an untrusted pointer dereference. Excel incorrectly trusts a pointer value embedded in a document and attempts to access memory it should not. An attacker can manipulate this pointer to redirect execution to malicious payloads.
CVE-2026-20957 – Microsoft Excel
This flaw results from an integer underflow, which leads to a heap-based buffer overflow. By supplying specially crafted values inside the Excel file, memory allocation becomes smaller than required, allowing attacker data to overwrite adjacent memory.
Key distinction:
Unlike Word, Excel Preview Pane is not an attack vector for either Excel vulnerability. The user must open the file.
Comparison Table – Core Vulnerability Details
| CVE Name | Product | CVSS Score | Severity | Vulnerability Type | User Interaction | Preview Pane Exploitable | Exploit Availability |
|---|---|---|---|---|---|---|---|
| CVE-2026-20944 | Microsoft Word | 8.4 | Critical | Out-of-bounds read | Required | Yes | No public exploit observed |
| CVE-2026-20955 | Microsoft Excel | 7.8 | High | Untrusted pointer dereference | Required | No | No public exploit observed |
| CVE-2026-20957 | Microsoft Excel | 7.8 | High | Integer underflow → heap overflow | Required | No | No public exploit observed |
Attack Scenarios (Realistic Use Cases)
- Phishing emails with “invoice”, “resume”, or “report” themed attachments
- Internal lateral movement using shared network drives
- ZIP or ISO containers to bypass email security controls
- Weaponized Office documents delivered via collaboration platforms
Once opened, the attacker can:
- Install backdoors
- Steal credentials
- Deploy ransomware
- Move laterally within the network
MITRE ATT&CK Mapping
Tactics
- Initial Access
- Execution
- Privilege Escalation (if chained)
Techniques
- T1566.001 – Phishing: Attachment
- T1203 – Exploitation for Client Execution
- T1059 – Command and Scripting Interpreter
- T1105 – Ingress Tool Transfer
Detection Guidance
Behavioral Indicators
- Microsoft Word or Excel spawning:
cmd.exepowershell.exemshta.exerundll32.exe
- Office processes making outbound network connections
- Unexpected child processes from Office applications
Example Detection Logic (Generic)
Rule Concept
IF process_name IN (winword.exe, excel.exe)
AND child_process IN (cmd.exe, powershell.exe, mshta.exe, rundll32.exe)
THEN alert = "Suspicious Office RCE Behavior"
Payload Characteristics
- Embedded shellcode inside document streams
- Abnormal memory allocation sizes
- Corrupted document structure fields
- Obfuscated macro-less payloads (file-format exploitation)
Recommended Log Sources
To reliably detect exploitation attempts, collect and monitor:
- Endpoint Detection & Response (EDR) telemetry
- Windows Security Logs
- Process creation events
- Sysmon
- Event ID 1 (Process Create)
- Event ID 7 (Image Loaded)
- Email Security Gateway logs
- Proxy / Firewall logs
- Outbound traffic from Office processes
Mitigation & Hardening
- Disable Preview Pane for Word documents where possible
- Block Office applications from spawning child processes
- Enable Attack Surface Reduction (ASR) rules
- Restrict outbound network access for Office binaries
- Educate users on document-based phishing risks
Official Patch Information (Only Official Source)
Microsoft has released security updates addressing these vulnerabilities as part of its Office security updates.
Official Patch Portal:
https://msrc.microsoft.com/update-guide
Search by CVE ID to confirm:
- CVE-2026-20944
- CVE-2026-20955
- CVE-2026-20957
Current Exploit Status
- No reliable public proof-of-concept exploits observed at this time
- No confirmed in-the-wild exploitation reported yet
- Due to low user interaction requirements and Preview Pane exposure (Word), exploitation risk remains high
Final Risk Assessment
These vulnerabilities are high-value targets for threat actors due to:
- Wide deployment of Microsoft Office
- Trusted document workflows
- Minimal user interaction
- Reliable post-exploitation capabilities
