CVE-2026-20953:

Use-after-free vulnerability in Microsoft Office enables local code execution.

Score
A numerical rating that indicates how dangerous this vulnerability is.

8.4High

Published Date:Jan 13, 2026
CISA KEV Date:*No Data*
Industries Affected:20

Threat Predictions

EPSS Score:0.0
EPSS Percentile:6%

Exploitability

Score:2.5
Attack Vector:LOCAL
Attack Complexity:LOW
Privileges Required:NONE
User Interaction:NONE
Scope:UNCHANGED

Impact

Score:5.9
Confidentiality Impact:HIGH
Integrity Impact:HIGH
Availability Impact:HIGH

Description Preview

Use-after-free vulnerability in Microsoft Office enables local code execution.

Overview

The vulnerability (CVE-2026-20953) in Microsoft Office is classified as a use-after-free flaw, corresponding to CWE-416. It allows an attacker to execute arbitrary code on the target system without requiring elevated privileges or user interaction. The CVSS v3.1 base score is 8.4 (High), indicating significant potential impact. The attack vector is local, with low attack complexity. If exploited, this vulnerability could lead to complete compromise of system confidentiality, integrity, and availability.

Remediation

As of the initial report, specific remediation details have not been provided. However, standard best practices for addressing such vulnerabilities typically include:
1. Applying the latest security updates from Microsoft as soon as they become available.
2. Implementing the principle of least privilege to limit potential damage from exploits.
3. Using application whitelisting and other endpoint protection measures to prevent unauthorized code execution.
4. Monitoring systems for unusual activity that could indicate exploitation attempts.
5. Keeping all software, especially Microsoft Office, up-to-date with the latest security patches.
Users and administrators should monitor the Microsoft Security Response Center for official patches and mitigation strategies specific to this vulnerability.