CVE-2021-38655: 
vulnerability analysis and mitigation

CVE-2021-38655 is a remote code execution vulnerability affecting Microsoft Excel. The vulnerability was discovered and reported to Microsoft on July 7, 2021, and was publicly disclosed on September 16, 2021. This security flaw affects various versions of Microsoft Excel including Excel 2013, Excel 2016, Microsoft 365 Apps, and Office 2019 (ZDI Advisory).

The vulnerability is classified as a Use-After-Free (UAF) flaw that exists within the parsing of XLS files. The specific issue results from the lack of validating the existence of an object prior to performing operations on the object. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (ZDI Advisory, NVD).

If successfully exploited, this vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Excel. The attacker can leverage this vulnerability to execute code in the context of the current process, potentially gaining the same rights as the logged-in user (ZDI Advisory).

Microsoft has released security updates to address this vulnerability. Users should apply the security update KB5002003 for affected versions of Excel. The update is available through Microsoft Update, Microsoft Update Catalog, and the Microsoft Download Center (Microsoft Support).