CVE-2026-20946
Published: 13 January 2026
Summary
CVE-2026-20946 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Microsoft Office Long Term Servicing Channel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 8.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of the out-of-bounds read vulnerability through patching Microsoft Office Excel as specified by the vendor.
Implements memory protection mechanisms such as address space layout randomization and data execution prevention to mitigate exploitation of the out-of-bounds read for code execution.
Deploys malicious code protection tools to scan and block malicious Excel files that exploit the vulnerability prior to user interaction.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds read in Excel enables local arbitrary code execution when a user opens a malicious file, directly mapping to Exploitation for Client Execution and User Execution via Malicious File.
NVD Description
Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Deeper analysisAI
CVE-2026-20946 is an out-of-bounds read vulnerability, classified under CWE-125, affecting Microsoft Office Excel. Published on 2026-01-13, the flaw enables an unauthorized attacker to execute code locally and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.
The vulnerability can be exploited by an unauthorized local attacker who requires low-complexity techniques and user interaction, such as convincing a user to open a malicious Excel file. No privileges are needed (PR:N), and exploitation remains confined to the local system without scope changes (S:U). Successful attacks allow arbitrary code execution with high-impact consequences across all security principles.
Microsoft's Security Response Center provides an update guide for mitigation at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20946, detailing patches and recommended actions for affected systems.
Details
- CWE(s)