ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-35436 Elevation of Privilege in Microsoft Office Click-to-Run via Access Control Weakness

A short review of CVE-2026-35436, a high severity elevation of privilege vulnerability in Microsoft Office Click-to-Run caused by insufficient access control granularity, along with patch details and affected build numbers across all servicing channels.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-13

Brief Summary: CVE-2026-35436 Elevation of Privilege in Microsoft Office Click-to-Run via Access Control Weakness
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An insufficient access control flaw in Microsoft Office Click-to-Run's shared infrastructure allows a low privilege local attacker to escalate to SYSTEM and escape the AppContainer sandbox, earning a CVSS 3.1 base score of 8.8. With Microsoft 365 deployed across hundreds of millions of endpoints, including 89 million consumer subscribers and a commercial seat base growing at 6 percent year over year, the potential blast radius of this vulnerability is substantial even though no exploitation has been observed yet.

Technical Information

The vulnerability resides in the shared Click-to-Run infrastructure of Microsoft Office, not in any individual application like Word or Excel. The root cause is classified as CWE-1220: Insufficient Granularity of Access Control. In practical terms, the software fails to enforce fine-grained permission checks at a level necessary to properly restrict operations within its execution environment.

The full CVSS 3.1 vector string is:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C

Several elements of this vector deserve attention:

  • Attack Vector (Local): The attacker must already have basic user access on the target system. Remote exploitation is not possible.
  • Attack Complexity (Low): No special conditions or race conditions are needed.
  • Privileges Required (Low): Standard user privileges are sufficient to trigger the flaw.
  • User Interaction (None): No action from a legitimate user is required.
  • Scope (Changed): This is the most consequential element. A successful exploit impacts resources beyond the security boundary managed by the vulnerable component.

The "Changed" scope designation is particularly significant. It indicates that exploitation leads to an escape from a contained execution environment, specifically the AppContainer isolation boundary. AppContainer is a Windows sandboxing mechanism designed to restrict the capabilities of processes running within it. Office Click-to-Run components execute inside this sandbox to limit the damage a compromised process can cause. A successful exploit of CVE-2026-35436 would allow an attacker operating within the Office Click-to-Run AppContainer to break out of that sandbox and gain SYSTEM level privileges on the host.

Attack Flow

Based on the available advisory details, the exploitation path would proceed as follows:

  1. An attacker with low privilege local access to a system running a vulnerable version of Office Click-to-Run identifies the Click-to-Run service infrastructure.
  2. The attacker interacts with the Click-to-Run components in a way that exploits the insufficient access control checks. Because the access control lacks the necessary granularity, operations that should be restricted to higher privilege levels are accessible.
  3. Through these improperly gated operations, the attacker escalates from a sandboxed, low privilege context to SYSTEM.
  4. With SYSTEM privileges and an escape from the AppContainer boundary, the attacker gains full control over confidentiality, integrity, and availability of the host system.

The high impact ratings across all three CIA triad dimensions reflect the complete control an attacker would achieve.

Microsoft explicitly notes that the Preview Pane is not an attack vector for this vulnerability. This narrows the attack surface to direct local interaction with the Click-to-Run components rather than passive document rendering scenarios, which is a meaningful distinction for risk assessment.

Patch Information

Microsoft released an official fix for CVE-2026-35436 on May 12, 2026, as part of the May 2026 Patch Tuesday cycle. The MSRC advisory confirms the Remediation Level is set to "Official Fix," meaning a complete vendor solution is available. There are no publicly disclosed workarounds or hotfixes outside of the official patch.

Because Office Click-to-Run uses a streaming update mechanism rather than traditional standalone KB patches, the fix is delivered as part of the updated Office build for each servicing channel. There is no single KB article to download. Instead, administrators must verify that endpoints are running the patched build numbers or later.

The fix was applied to the Office suite component, which aligns with the vulnerability residing in the shared Click-to-Run infrastructure itself. The following products received the update, all delivered via their respective Click-to-Run update channels:

  • Microsoft 365 Apps for Enterprise (32 bit and 64 bit)
  • Microsoft Office LTSC 2024 (32 bit and 64 bit)
  • Microsoft Office LTSC 2021 (32 bit and 64 bit)
  • Microsoft Office 2019 (32 bit and 64 bit)

The specific fixed build numbers per channel are:

ChannelFixed Version (Build)
Current ChannelVersion 2604 (Build 19929.20164)
Monthly Enterprise ChannelVersion 2604 (Build 19929.20162)
Monthly Enterprise ChannelVersion 2603 (Build 19822.20240)
Monthly Enterprise ChannelVersion 2602 (Build 19725.20320)
Semi-Annual Enterprise ChannelVersion 2508 (Build 19127.20646)
Office 2024 RetailVersion 2604 (Build 19929.20164)
Office 2021 RetailVersion 2604 (Build 19929.20164)
Office LTSC 2024 Volume LicensedVersion 2408 (Build 17932.20776)
Office LTSC 2021 Volume LicensedVersion 2108 (Build 14334.20670)
Office 2019 Volume LicensedVersion 1808 (Build 10417.20132)

Verifying remediation requires confirming the exact build number running on each endpoint, not simply checking if a particular KB is installed. The build number can be verified by navigating to File > Account in any Office application and checking the version listed under "About." Organizations using Microsoft 365 Apps should ensure their update channels are current and that no devices have been deferred past these fixed builds.

Affected Systems and Versions

The vulnerability affects all Microsoft Office installations that use the Click-to-Run delivery mechanism. The specific affected products are:

  • Microsoft 365 Apps for Enterprise (32 bit and 64 bit), builds prior to Version 2604 (Build 19929.20162) on Monthly Enterprise Channel, or prior to Version 2604 (Build 19929.20164) on Current Channel
  • Microsoft Office LTSC 2024 (32 bit and 64 bit), builds prior to Version 2408 (Build 17932.20776) for Volume Licensed, or prior to Version 2604 (Build 19929.20164) for Retail
  • Microsoft Office LTSC 2021 (32 bit and 64 bit), builds prior to Version 2108 (Build 14334.20670) for Volume Licensed, or prior to Version 2604 (Build 19929.20164) for Retail
  • Microsoft Office 2019 (32 bit and 64 bit), builds prior to Version 1808 (Build 10417.20132) for Volume Licensed

The Semi-Annual Enterprise Channel is also affected for builds prior to Version 2508 (Build 19127.20646).

Traditional MSI based Office installations are not affected, as the vulnerability is specific to the Click-to-Run infrastructure.

Vendor Security History

Microsoft maintains a regular monthly security update cadence. In the May 2026 update cycle, the company addressed 120 security flaws across its product portfolio. Notably, this particular Patch Tuesday release contained no zero day vulnerabilities, meaning all 120 flaws, including CVE-2026-35436, were patched before any public disclosure or observed exploitation.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization