CVE-2026-20953

High

Published: 13 January 2026

Published

13 January 2026

Modified

14 January 2026

KEV Added

—

Patch

—

CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 6.8th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20953 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Office Long Term Servicing Channel. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and patching of the use-after-free vulnerability in Microsoft Office as detailed in the MSRC update guide.

SI-16 Memory Protection good match

prevent

Implements memory safeguards such as DEP and ASLR that directly mitigate exploitation of use-after-free vulnerabilities allowing local code execution.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Requires vulnerability scanning to identify the presence of CVE-2026-20953 in Microsoft Office systems for prompt remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

UAF in Office enables local arbitrary code execution (no privs/UI needed), directly mapping to client-side exploitation and local privilege escalation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

Deeper analysisAI

CVE-2026-20953 is a use-after-free vulnerability (CWE-416) affecting Microsoft Office. Published on 2026-01-13T18:16:23.150, it carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact with relatively low barriers to exploitation.

The vulnerability can be exploited by an unauthorized local attacker requiring only local access to the target system. Exploitation involves low attack complexity and demands no user interaction or privileges. Successful exploitation enables arbitrary code execution locally, compromising confidentiality, integrity, and availability at a high level.

Mitigation guidance and patches are detailed in the Microsoft Security Response Center update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20953.

Details

CWE(s): CWE-416

Affected Products

microsoft

365 apps

all versions

microsoft

office

2016, 2019

microsoft

office long term servicing channel

2021, 2024

CVEs Like This One

CVE-2026-20952Same product: Microsoft 365 Apps

CVE-2025-62557Same product: Microsoft 365 Apps

CVE-2025-49695Same product: Microsoft 365 Apps

CVE-2025-24080Same product: Microsoft 365 Apps

CVE-2025-53731Same product: Microsoft 365 Apps

CVE-2025-53740Same product: Microsoft 365 Apps

CVE-2025-21345Same product: Microsoft 365 Apps

CVE-2025-21392Same product: Microsoft 365 Apps

CVE-2025-24077Same product: Microsoft 365 Apps

CVE-2025-21366Same product: Microsoft 365 Apps

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20953
Vendor Advisory · secure@microsoft.com