CVE-2022-26806: 
vulnerability analysis and mitigation

Microsoft Office Graphics Remote Code Execution Vulnerability (CVE-2022-26806) is a security flaw that affects Microsoft Excel and other Microsoft Office applications. The vulnerability was initially reported on October 31, 2022, and publicly disclosed on December 15, 2022 (ZDI Advisory).

The vulnerability exists within the parsing of SKP files in Microsoft Excel. The specific flaw results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (ZDI Advisory).

When successfully exploited, this vulnerability allows remote attackers to execute arbitrary code in the context of the current process on affected installations of Microsoft Excel. The attack requires user interaction, specifically the target must visit a malicious page or open a malicious file (ZDI Advisory).

Microsoft has released a security update to address this vulnerability. Users are advised to apply the available patches through the Microsoft security update (Microsoft Advisory).