CVE-2025-29977: 
vulnerability analysis and mitigation

A use-after-free vulnerability was discovered in Microsoft Office Excel (CVE-2025-29977), which was disclosed on May 13, 2025. The vulnerability affects multiple versions of Microsoft Office products including Excel 2016, Office 2019, Microsoft 365 Apps Enterprise, Office Long Term Servicing Channel 2021/2024, and Office Online Server versions prior to 16.0.10417.20010 (NVD, CVE Mitre).

The vulnerability is classified as a use-after-free (CWE-416) issue in Microsoft Office Excel. It received a CVSS v3.1 base score of 7.8 (HIGH) with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. This indicates that the vulnerability requires local access and user interaction, but no privileges, while potentially impacting confidentiality, integrity, and availability at high levels (NVD).

If successfully exploited, this vulnerability allows an unauthorized attacker to execute code locally on the affected system, potentially leading to full system compromise with the same privileges as the logged-in user (NVD).

Microsoft has released security updates to address this vulnerability. Users can obtain the fix through multiple channels: Microsoft Update, Microsoft Update Catalog, or Microsoft Download Center. For Office Online Server, the security update package build 16.0.10417.20010 (KB5002707) is available (Microsoft Support).