CVE-2026-20952
published 2026-01-13CVE-2026-20952: Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
high8.4CVSS 3.1
AVLACLPRNUINSUCHIHAH
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | microsoft_365_apps_for_enterprise | >= 16.0.1 < https://aka.ms/OfficeSecurityReleases | https://aka.ms/OfficeSecurityReleases |
| microsoft | microsoft_office_2016 | >= 16.0.0 < 16.0.5535.1000 | 16.0.5535.1000 |
| microsoft | microsoft_office_2019 | >= 19.0.0 < https://aka.ms/OfficeSecurityReleases | https://aka.ms/OfficeSecurityReleases |
| microsoft | microsoft_office_ltsc_2021 | >= 16.0.1 < https://aka.ms/OfficeSecurityReleases | https://aka.ms/OfficeSecurityReleases |
| microsoft | microsoft_office_ltsc_2024 | >= 16.0.0 < https://aka.ms/OfficeSecurityReleases | https://aka.ms/OfficeSecurityReleases |
| microsoft | microsoft_office_ltsc_for_mac_2021 | >= 16.0.1 < 16.105.26011018 | 16.105.26011018 |
| microsoft | microsoft_office_ltsc_for_mac_2024 | >= 16.0.0 < 16.105.26011018 | 16.105.26011018 |
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office_long_term_servicing_channel | — | — |
| microsoft | office_long_term_servicing_channel | — | — |
| msrc | microsoft_365_apps_for_enterprise_for_32-bit_systems | — | — |
| msrc | microsoft_365_apps_for_enterprise_for_64-bit_systems | — | — |
| msrc | microsoft_office_2016 | — | — |
| msrc | microsoft_office_2019_for_32-bit_editions | — | — |
| msrc | microsoft_office_2019_for_64-bit_editions | — | — |
| msrc | microsoft_office_ltsc_2021_for_32-bit_editions | — | — |
| msrc | microsoft_office_ltsc_2021_for_64-bit_editions | — | — |
| msrc | microsoft_office_ltsc_2024_for_32-bit_editions | — | — |
| msrc | microsoft_office_ltsc_2024_for_64-bit_editions | — | — |
| msrc | microsoft_office_ltsc_for_mac_2021 | — | — |
| msrc | microsoft_office_ltsc_for_mac_2024 | — | — |