CVE-2025-29978: 
vulnerability analysis and mitigation

A use-after-free vulnerability (CVE-2025-29978) was discovered in Microsoft Office PowerPoint and disclosed on May 13, 2025, as part of Microsoft's May 2025 Patch Tuesday updates. The vulnerability affects Microsoft 365 Apps Enterprise editions and Microsoft Office Long Term Servicing Channel 2024 for both x64 and x86 architectures (NVD, Wiz).

The vulnerability is classified as CWE-416 (Use After Free) and has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. This scoring indicates that the vulnerability requires local access and user interaction to be exploited, but requires no privileges and can result in high impacts to confidentiality, integrity, and availability (NVD, Wiz).

If successfully exploited, this vulnerability enables attackers to execute arbitrary code in the context of the current user. The vulnerability has received high severity ratings across all three primary security metrics - confidentiality, integrity, and availability (Wiz).

Microsoft has released security updates to address this vulnerability as part of their May 2025 Patch Tuesday updates. Users and administrators are strongly advised to apply the latest security updates to all affected PowerPoint installations (Wiz).