#VU62095 Use-after-free in Microsoft products - CVE-2022-26901
Published: April 12, 2022 / Updated: June 1, 2022
Vulnerability identifier: #VU62095
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2022-26901
CWE-ID: CWE-416
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Microsoft Office Web Apps Server
Microsoft SharePoint Foundation
Microsoft SharePoint Server Subscription Edition
Microsoft SharePoint Enterprise Server
Office Online Server
Microsoft Office LTSC
Microsoft Office
Microsoft Excel
Microsoft 365 Apps for Enterprise
Microsoft Office Web Apps Server
Microsoft SharePoint Foundation
Microsoft SharePoint Server Subscription Edition
Microsoft SharePoint Enterprise Server
Office Online Server
Microsoft Office LTSC
Microsoft Office
Microsoft Excel
Microsoft 365 Apps for Enterprise
Software vendor:
Microsoft
Microsoft
Description
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when parsing Excel files. A remote attacker can trick the victim to open a specially crafted Excel file, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Remediation
Install updates from vendor's website.