Microsoft Office Excel: Eight Vulnerabilities Disclosed on June 9, 2026

Key findings

• Eight vulnerabilities in Microsoft Office Excel were disclosed on June 9, 2026.
• Five high-severity integer underflow flaws could allow local code execution.
• One high-severity out-of-bounds read vulnerability may lead to information disclosure.
• Two low-severity vulnerabilities include protection mechanism failure and information disclosure.
• These flaws were part of Microsoft's June 2026 Patch Tuesday, addressing 198-200 total vulnerabilities.

Microsoft addressed a cluster of eight vulnerabilities affecting Microsoft Office Excel on June 9, 2026, as part of its monthly Patch Tuesday security updates. The disclosed flaws include several high-severity issues, primarily related to integer underflow vulnerabilities, which could permit attackers to execute code locally on a victim's machine. This batch of vulnerabilities was disclosed simultaneously, indicating a coordinated patching effort by Microsoft.

The vulnerabilities can be broadly categorized by their impact and the type of flaw. A significant portion of the disclosed issues, specifically CVE-2026-45469, CVE-2026-44820, CVE-2026-44818, CVE-2026-44817, and CVE-2026-44817, are classified as integer underflow vulnerabilities. These types of bugs, often referred to as wrap or wraparound errors, can lead to unexpected behavior when calculations exceed the maximum value for a given data type, potentially allowing for memory corruption and subsequent code execution. The CVSS scores for these range from 7.0 to 7.8, all categorized as High severity.

Another notable vulnerability, CVE-2026-44822, is an out-of-bounds read flaw with a CVSS score of 8.2, also rated High. This type of vulnerability can lead to the disclosure of sensitive information to an unauthorized attacker over a network. While not directly leading to code execution, information disclosure can be a critical precursor to more sophisticated attacks.

Two lower-severity vulnerabilities were also part of this disclosure. CVE-2026-45459, rated Low (CVSSv3 3.3), is a protection mechanism failure that could allow an attacker to bypass a security feature locally. Additionally, CVE-2026-45455, also rated Low (CVSSv3 3.3), is an out-of-bounds read vulnerability that could allow an attacker to disclose information over a network. While these have lower CVSS scores, they can still contribute to a broader attack chain.

According to coverage from BleepingComputer and Cyber Security News, Microsoft's June 2026 Patch Tuesday addressed a total of 198 to 200 vulnerabilities, including three zero-day vulnerabilities that were publicly known or actively exploited prior to the patch release. While the specific Excel vulnerabilities detailed here were not explicitly called out as zero-days in the provided coverage, their inclusion in this major patch cycle underscores their importance. The overall Patch Tuesday release included a significant number of critical vulnerabilities, with many allowing for remote code execution.

Microsoft's security updates are crucial for maintaining the integrity and security of Office applications. Users are strongly advised to apply the latest security patches provided by Microsoft to mitigate the risks associated with these vulnerabilities. The specific versions of Microsoft Office Excel affected and the patches that address these issues are detailed in Microsoft's official security advisories, which are part of the June 2026 Patch Tuesday rollout. Prompt application of these updates is essential to protect against potential local code execution and information disclosure attacks.

This batch of vulnerabilities highlights the ongoing need for vigilance in securing widely used productivity software. The presence of multiple high-severity flaws, particularly those enabling local code execution, emphasizes the importance of timely patching. Users should ensure their Office suite is up-to-date to benefit from Microsoft's security enhancements and protect against potential exploitation.