CVE-2021-40481: 
vulnerability analysis and mitigation

Microsoft Office Visio was found to contain a Remote Code Execution vulnerability identified as CVE-2021-40481. The vulnerability was discovered by Tran Van Khang from VinCSS and was reported to Microsoft on July 28, 2021, with public disclosure occurring on October 14, 2021. The vulnerability affects multiple versions of Microsoft Office products including Microsoft 365 Apps Enterprise, Office 2019, and Office Long Term Servicing Channel 2021 (ZDI Advisory).

The vulnerability exists within the parsing of WMF files in Microsoft Office Visio. Specifically, the flaw stems from the lack of validation of an object's existence prior to performing operations on it, resulting in a Use-After-Free condition. The vulnerability has received a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H from NIST, while Microsoft assessed it with a score of 7.1 (High) (ZDI Advisory, NVD).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process. The high CVSS scores indicate potential severe impacts on system confidentiality, integrity, and availability when successfully exploited (ZDI Advisory).

Microsoft has released security updates to address this vulnerability. Users are advised to apply the available patches through Microsoft's security update mechanism (Microsoft Advisory).