Excel Microsoft Excel Spreadsheet Software

Do you want an email whenever new security vulnerabilities are reported in Microsoft Excel?

Recent Microsoft Excel Security Advisories

Advisory Title Published
CVE-2023-36041 Microsoft Excel Remote Code Execution Vulnerability November 14, 2023
CVE-2023-36037 Microsoft Excel Security Feature Bypass Vulnerability November 14, 2023
CVE-2023-36766 Microsoft Excel Information Disclosure Vulnerability September 12, 2023
CVE-2023-36896 Microsoft Excel Remote Code Execution Vulnerability August 8, 2023
CVE-2023-33161 Microsoft Excel Remote Code Execution Vulnerability July 11, 2023
CVE-2023-33161 Microsoft Excel Remote Code Execution Vulnerability July 11, 2023
CVE-2023-33158 Microsoft Excel Remote Code Execution Vulnerability July 11, 2023
CVE-2023-33158 Microsoft Excel Remote Code Execution Vulnerability July 11, 2023
CVE-2023-33162 Microsoft Excel Information Disclosure Vulnerability July 11, 2023
CVE-2023-33162 Microsoft Excel Information Disclosure Vulnerability July 11, 2023

Known Exploited Microsoft Excel Vulnerabilities

The following Microsoft Excel vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
Microsoft Excel Remote Code Execution Vulnerability A remote code execution vulnerability exists in Microsoft Excel when the software fails to properly handle objects in memory. CVE-2019-1297 March 3, 2022
Microsoft Office Security Feature Bypass Vulnerability A security feature bypass vulnerability exists when Microsoft Office improperly handles input. An attacker who successfully exploited the vulnerability could execute arbitrary commands. CVE-2016-7262 March 3, 2022
Microsoft Excel Featheader Record Memory Corruption Vulnerability Microsoft Office Excel allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset. CVE-2009-3129 March 3, 2022

By the Year

In 2024 there have been 1 vulnerability in Microsoft Excel with an average score of 7.8 out of ten. Last year Excel had 8 security vulnerabilities published. Right now, Excel is on track to have less security vulnerabilities in 2024 than it did last year. However, the average CVE base score of the vulnerabilities in 2024 is greater by 0.38.

Year Vulnerabilities Average Score
2024 1 7.80
2023 8 7.43
2022 10 7.49
2021 28 7.47
2020 32 7.86
2019 11 7.51
2018 22 7.23

It may take a day or so for new Excel vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Microsoft Excel Security Vulnerabilities

Microsoft Office Remote Code Execution Vulnerability

CVE-2024-20673 7.8 - High - February 13, 2024

Microsoft Office Remote Code Execution Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2023-36041 7.8 - High - November 14, 2023

Microsoft Excel Remote Code Execution Vulnerability

Dangling pointer

Microsoft Excel Security Feature Bypass Vulnerability

CVE-2023-36037 7.8 - High - November 14, 2023

Microsoft Excel Security Feature Bypass Vulnerability

Microsoft Excel Information Disclosure Vulnerability

CVE-2023-36766 5.5 - Medium - September 12, 2023

Microsoft Excel Information Disclosure Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2023-33133 7.8 - High - June 14, 2023

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2023-32029 7.8 - High - June 14, 2023

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2023-24953 7.8 - High - May 09, 2023

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2023-23399 7.8 - High - March 14, 2023

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel Spoofing Vulnerability

CVE-2023-23398 7.1 - High - March 14, 2023

Microsoft Excel Spoofing Vulnerability

Microsoft Excel Security Feature Bypass Vulnerability

CVE-2022-41104 5.5 - Medium - November 09, 2022

Microsoft Excel Security Feature Bypass Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2022-41106 8.8 - High - November 09, 2022

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2022-41063 7.8 - High - November 09, 2022

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel Security Feature Bypass Vulnerability

CVE-2022-33631 7.3 - High - August 09, 2022

Microsoft Excel Security Feature Bypass Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2022-30173 7.8 - High - June 15, 2022

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2022-29110 7.8 - High - May 10, 2022

Microsoft Excel Remote Code Execution Vulnerability

Windows Graphics Component Remote Code Execution Vulnerability

CVE-2022-26903 7.8 - High - April 15, 2022

Windows Graphics Component Remote Code Execution Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2022-26901 7.8 - High - April 15, 2022

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel Information Disclosure Vulnerability

CVE-2022-22716 5.5 - Medium - February 09, 2022

Microsoft Excel Information Disclosure Vulnerability

Buffer Overflow

Microsoft Office Remote Code Execution Vulnerability

CVE-2022-21840 8.8 - High - January 11, 2022

Microsoft Office Remote Code Execution Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2021-43256 7.8 - High - December 15, 2021

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel Security Feature Bypass Vulnerability

CVE-2021-42292 7.8 - High - November 10, 2021

Microsoft Excel Security Feature Bypass Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2021-40442 7.8 - High - November 10, 2021

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2021-40485 7.8 - High - October 13, 2021

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2021-40474 7.8 - High - October 13, 2021

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel Information Disclosure Vulnerability

CVE-2021-40472 5.5 - Medium - October 13, 2021

Microsoft Excel Information Disclosure Vulnerability

Microsoft Office Graphics Remote Code Execution Vulnerability

CVE-2021-38660 7.8 - High - September 15, 2021

Microsoft Office Graphics Remote Code Execution Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2021-38655 7.8 - High - September 15, 2021

Microsoft Excel Remote Code Execution Vulnerability

Dangling pointer

Microsoft Excel Remote Code Execution Vulnerability

CVE-2021-34501 7.8 - High - July 14, 2021

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2021-34518 7.8 - High - July 14, 2021

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2021-31939 7.8 - High - June 08, 2021

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Office Remote Code Execution Vulnerability

CVE-2021-31179 7.8 - High - May 11, 2021

Microsoft Office Remote Code Execution Vulnerability

Microsoft Office Information Disclosure Vulnerability

CVE-2021-31178 5.5 - Medium - May 11, 2021

Microsoft Office Information Disclosure Vulnerability

Integer underflow

Microsoft Office Remote Code Execution Vulnerability

CVE-2021-31177 7.8 - High - May 11, 2021

Microsoft Office Remote Code Execution Vulnerability

Dangling pointer

Microsoft Excel Information Disclosure Vulnerability

CVE-2021-31174 5.5 - Medium - May 11, 2021

Microsoft Excel Information Disclosure Vulnerability

Out-of-bounds Read

Microsoft Office Remote Code Execution Vulnerability

CVE-2021-31175 7.8 - High - May 11, 2021

Microsoft Office Remote Code Execution Vulnerability

Dangling pointer

Microsoft Excel Remote Code Execution Vulnerability

CVE-2021-28451 7.8 - High - April 13, 2021

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Office Remote Code Execution Vulnerability

CVE-2021-28449 7.8 - High - April 13, 2021

Microsoft Office Remote Code Execution Vulnerability

Microsoft Excel Information Disclosure Vulnerability

CVE-2021-28456 5.5 - Medium - April 13, 2021

Microsoft Excel Information Disclosure Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2021-27053 7.8 - High - March 11, 2021

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2021-27054 7.8 - High - March 11, 2021

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Office Remote Code Execution Vulnerability

CVE-2021-27057 7.8 - High - March 11, 2021

Microsoft Office Remote Code Execution Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2021-24067 7.8 - High - February 25, 2021

Microsoft Excel Remote Code Execution Vulnerability

Dangling pointer

Microsoft Excel Remote Code Execution Vulnerability

CVE-2021-24068 7.8 - High - February 25, 2021

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2021-24069 7.8 - High - February 25, 2021

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2021-24070 7.8 - High - February 25, 2021

Microsoft Excel Remote Code Execution Vulnerability

Dangling pointer

Microsoft Excel Remote Code Execution Vulnerability

CVE-2021-1713 7.8 - High - January 12, 2021

Microsoft Excel Remote Code Execution Vulnerability

Buffer Overflow

Microsoft Excel Remote Code Execution Vulnerability

CVE-2021-1714 7.8 - High - January 12, 2021

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2020-17123 7.8 - High - December 10, 2020

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2020-17125 7.8 - High - December 10, 2020

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel Information Disclosure Vulnerability

CVE-2020-17126 5.5 - Medium - December 10, 2020

Microsoft Excel Information Disclosure Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2020-17127 7.8 - High - December 10, 2020

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2020-17128 7.8 - High - December 10, 2020

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2020-17129 7.8 - High - December 10, 2020

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel Security Feature Bypass Vulnerability

CVE-2020-17130 6.5 - Medium - December 10, 2020

Microsoft Excel Security Feature Bypass Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2020-17064 7.8 - High - November 11, 2020

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2020-17065 7.8 - High - November 11, 2020

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel Remote Code Execution Vulnerability

CVE-2020-17066 7.8 - High - November 11, 2020

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel Security Feature Bypass Vulnerability

CVE-2020-17067 7.8 - High - November 11, 2020

Microsoft Excel Security Feature Bypass Vulnerability

<p>A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2020-16929 7.8 - High - October 16, 2020

<p>A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.</p> <p>Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Excel. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.</p> <p>The security update addresses the vulnerability by correcting how Microsoft Excel handles objects in memory.</p>

Dangling pointer

<p>A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2020-16931 7.8 - High - October 16, 2020

<p>A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.</p> <p>Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Excel. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.</p> <p>The security update addresses the vulnerability by correcting how Microsoft Excel handles objects in memory.</p>

Use of Uninitialized Resource

<p>A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2020-16932 7.8 - High - October 16, 2020

<p>A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.</p> <p>Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Excel. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.</p> <p>The security update addresses the vulnerability by correcting how Microsoft Excel handles objects in memory.</p>

Use of Uninitialized Resource

<p>An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory

CVE-2020-1224 5.5 - Medium - September 11, 2020

<p>An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory. An attacker who exploited the vulnerability could use the information to compromise the users computer or data.</p> <p>To exploit the vulnerability, an attacker could craft a special document file and then convince the user to open it. An attacker must know the memory address location where the object was created.</p> <p>The update addresses the vulnerability by changing the way certain Excel functions handle objects in memory.</p>

<p>A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2020-1332 7.8 - High - September 11, 2020

<p>A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.</p> <p>Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Excel. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.</p> <p>The security update addresses the vulnerability by correcting how Microsoft Excel handles objects in memory.</p>

<p>A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2020-1335 7.8 - High - September 11, 2020

<p>A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.</p> <p>Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Excel. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.</p> <p>The security update addresses the vulnerability by correcting how Microsoft Excel handles objects in memory.</p>

<p>A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2020-1594 7.8 - High - September 11, 2020

<p>A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.</p> <p>Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Excel. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.</p> <p>The security update addresses the vulnerability by correcting how Microsoft Excel handles objects in memory.</p>

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2020-1494 8.8 - High - August 17, 2020

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Excel. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file. The security update addresses the vulnerability by correcting how Microsoft Excel handles objects in memory.

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2020-1495 8.8 - High - August 17, 2020

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Excel. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file. The security update addresses the vulnerability by correcting how Microsoft Excel handles objects in memory.

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2020-1496 8.8 - High - August 17, 2020

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Excel. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file. The security update addresses the vulnerability by correcting how Microsoft Excel handles objects in memory.

An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory

CVE-2020-1497 5.5 - Medium - August 17, 2020

An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory. An attacker who exploited the vulnerability could use the information to compromise the users computer or data. To exploit the vulnerability, an attacker could craft a special document file and then convince the user to open it. An attacker must know the memory address location where the object was created. The update addresses the vulnerability by changing the way certain Excel functions handle objects in memory.

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2020-1498 8.8 - High - August 17, 2020

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Excel. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file. The security update addresses the vulnerability by correcting how Microsoft Excel handles objects in memory.

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2020-1504 8.8 - High - August 17, 2020

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Excel. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file. The security update addresses the vulnerability by correcting how Microsoft Excel handles objects in memory.

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2020-1225 8.8 - High - June 09, 2020

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1226.

Buffer Overflow

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2020-1226 8.8 - High - June 09, 2020

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1225.

Buffer Overflow

A remote code execution vulnerability exists when Microsoft Office improperly loads arbitrary type libraries

CVE-2020-0760 8.8 - High - April 15, 2020

A remote code execution vulnerability exists when Microsoft Office improperly loads arbitrary type libraries, aka 'Microsoft Office Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0991.

Improper Input Validation

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2020-0906 8.8 - High - April 15, 2020

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0979.

Buffer Overflow

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2020-0759 8.8 - High - February 11, 2020

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'.

Buffer Overflow

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2020-0650 7.8 - High - January 14, 2020

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0651, CVE-2020-0653.

Buffer Overflow

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2020-0651 7.8 - High - January 14, 2020

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0650, CVE-2020-0653.

Buffer Overflow

A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory

CVE-2020-0652 7.8 - High - January 14, 2020

A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory, aka 'Microsoft Office Memory Corruption Vulnerability'.

Buffer Overflow

An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory

CVE-2019-1464 5.5 - Medium - December 10, 2019

An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory, aka 'Microsoft Excel Information Disclosure Vulnerability'.

Information Disclosure

An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory

CVE-2019-1446 5.5 - Medium - November 12, 2019

An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory, aka 'Microsoft Excel Information Disclosure Vulnerability'.

Information Disclosure

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2019-1448 7.8 - High - November 12, 2019

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'.

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2019-1327 8.8 - High - October 10, 2019

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1331.

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2019-1331 8.8 - High - October 10, 2019

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1327.

An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory

CVE-2019-1263 5.5 - Medium - September 11, 2019

An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory, aka 'Microsoft Excel Information Disclosure Vulnerability'.

Information Disclosure

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2019-1297 8.8 - High - September 11, 2019

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'.

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2019-1110 8.8 - High - July 15, 2019

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1111.

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2019-1111 8.8 - High - July 15, 2019

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1110.

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2019-0828 7.8 - High - April 09, 2019

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka 'Microsoft Excel Remote Code Execution Vulnerability'.

An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory

CVE-2019-0669 6.5 - Medium - March 05, 2019

An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory, aka 'Microsoft Excel Information Disclosure Vulnerability'.

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2018-8597 7.8 - High - December 12, 2018

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka "Microsoft Excel Remote Code Execution Vulnerability." This affects Office 365 ProPlus, Microsoft Office, Microsoft Excel. This CVE ID is unique from CVE-2018-8636.

An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory

CVE-2018-8598 4.7 - Medium - December 12, 2018

An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory, aka "Microsoft Excel Information Disclosure Vulnerability." This affects Office 365 ProPlus, Microsoft Office, Microsoft Excel. This CVE ID is unique from CVE-2018-8627.

An information disclosure vulnerability exists when Microsoft Excel software reads out of bound memory due to an uninitialized variable

CVE-2018-8627 5.5 - Medium - December 12, 2018

An information disclosure vulnerability exists when Microsoft Excel software reads out of bound memory due to an uninitialized variable, which could disclose the contents of memory, aka "Microsoft Excel Information Disclosure Vulnerability." This affects Microsoft Office, Office 365 ProPlus, Microsoft Excel, Microsoft Excel Viewer, Excel. This CVE ID is unique from CVE-2018-8598.

Use of Uninitialized Resource

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2018-8636 7.8 - High - December 12, 2018

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka "Microsoft Excel Remote Code Execution Vulnerability." This affects Office 365 ProPlus, Microsoft Office, Microsoft Excel. This CVE ID is unique from CVE-2018-8597.

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2018-8577 7.8 - High - November 14, 2018

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka "Microsoft Excel Remote Code Execution Vulnerability." This affects Microsoft Office, Office 365 ProPlus, Microsoft Excel, Microsoft Excel Viewer, Excel. This CVE ID is unique from CVE-2018-8574.

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in Protected View

CVE-2018-8502 8.8 - High - October 10, 2018

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in Protected View, aka "Microsoft Excel Remote Code Execution Vulnerability." This affects Office 365 ProPlus, Microsoft Office, Microsoft Excel.

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2018-8331 7.8 - High - September 13, 2018

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka "Microsoft Excel Remote Code Execution Vulnerability." This affects Microsoft Office.

An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory

CVE-2018-8429 5.5 - Medium - September 13, 2018

An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory, aka "Microsoft Excel Information Disclosure Vulnerability." This affects Microsoft Excel Viewer, Microsoft Office, Microsoft Excel.

Information Disclosure

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2018-8375 7.8 - High - August 15, 2018

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka "Microsoft Excel Remote Code Execution Vulnerability." This affects Microsoft Excel Viewer, Microsoft Office, Microsoft Excel. This CVE ID is unique from CVE-2018-8379.

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory

CVE-2018-8379 7.8 - High - August 15, 2018

A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka "Microsoft Excel Remote Code Execution Vulnerability." This affects Microsoft Excel. This CVE ID is unique from CVE-2018-8375.

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Microsoft Excel 2013 Rt or by Microsoft? Click the Watch button to subscribe.

Microsoft
Vendor

Microsoft Excel
Spreadsheet Software

subscribe