CVE-2026-32188
Published: 14 April 2026
Summary
CVE-2026-32188 is a high-severity Out-of-bounds Read (CWE-125) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 19.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-32188 is an out-of-bounds read vulnerability (CWE-125) affecting Microsoft Office Excel. Published on 2026-04-14T18:17:23.410, it carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H). The issue enables an unauthorized attacker to disclose information locally through malformed Excel files.
An attacker with local access can exploit this vulnerability by convincing a user to open a specially crafted Excel document, as it requires user interaction and low complexity but no privileges. Successful exploitation leads to high-impact information disclosure (C:H) and high availability disruption (A:H), such as application crashes, with no integrity impact.
The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32188 provides details on patches and mitigation guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22567
Vulnerability details
Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds read in Excel is triggered by a user opening a malformed document (T1204.002), directly enabling client-side exploitation for information disclosure and denial of service (T1203).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely identification, reporting, and correction of known flaws like the out-of-bounds read in Microsoft Office Excel via vendor patches.
Mandates vulnerability scanning to identify unpatched instances of CVE-2026-32188 in Excel and initiate remediation based on risk.
Deploys malicious code protection at entry points to scan and block specially crafted malicious Excel files exploiting the vulnerability.