Cyber Resilience

CVE-2026-32188

High

Published: 14 April 2026

Published
14 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
EPSS Score 0.0006 19.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32188 is a high-severity Out-of-bounds Read (CWE-125) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 19.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32188 is an out-of-bounds read vulnerability (CWE-125) affecting Microsoft Office Excel. Published on 2026-04-14T18:17:23.410, it carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H). The issue enables an unauthorized attacker to disclose information locally through malformed Excel files.

An attacker with local access can exploit this vulnerability by convincing a user to open a specially crafted Excel document, as it requires user interaction and low complexity but no privileges. Successful exploitation leads to high-impact information disclosure (C:H) and high availability disruption (A:H), such as application crashes, with no integrity impact.

The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32188 provides details on patches and mitigation guidance.

EU & UK References

Vulnerability details

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Out-of-bounds read in Excel is triggered by a user opening a malformed document (T1204.002), directly enabling client-side exploitation for information disclosure and denial of service (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-20611Shared CWE-125
CVE-2025-1433Shared CWE-125
CVE-2024-12550Shared CWE-125
CVE-2025-1428Shared CWE-125
CVE-2026-27287Shared CWE-125
CVE-2026-32926Shared CWE-125
CVE-2025-61952Shared CWE-125
CVE-2026-23720Shared CWE-125
CVE-2025-0907Shared CWE-125
CVE-2025-27438Shared CWE-125

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of known flaws like the out-of-bounds read in Microsoft Office Excel via vendor patches.

preventdetect

Mandates vulnerability scanning to identify unpatched instances of CVE-2026-32188 in Excel and initiate remediation based on risk.

preventdetect

Deploys malicious code protection at entry points to scan and block specially crafted malicious Excel files exploiting the vulnerability.

References