Introduction
An insufficient access control flaw in Microsoft Office Click-to-Run's shared infrastructure allows a low privilege local attacker to escalate to SYSTEM and escape the AppContainer sandbox, earning a CVSS 3.1 base score of 8.8. With Microsoft 365 deployed across hundreds of millions of endpoints, including 89 million consumer subscribers and a commercial seat base growing at 6 percent year over year, the potential blast radius of this vulnerability is substantial even though no exploitation has been observed yet.
Technical Information
The vulnerability resides in the shared Click-to-Run infrastructure of Microsoft Office, not in any individual application like Word or Excel. The root cause is classified as CWE-1220: Insufficient Granularity of Access Control. In practical terms, the software fails to enforce fine-grained permission checks at a level necessary to properly restrict operations within its execution environment.
The full CVSS 3.1 vector string is:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Several elements of this vector deserve attention:
- Attack Vector (Local): The attacker must already have basic user access on the target system. Remote exploitation is not possible.
- Attack Complexity (Low): No special conditions or race conditions are needed.
- Privileges Required (Low): Standard user privileges are sufficient to trigger the flaw.
- User Interaction (None): No action from a legitimate user is required.
- Scope (Changed): This is the most consequential element. A successful exploit impacts resources beyond the security boundary managed by the vulnerable component.
The "Changed" scope designation is particularly significant. It indicates that exploitation leads to an escape from a contained execution environment, specifically the AppContainer isolation boundary. AppContainer is a Windows sandboxing mechanism designed to restrict the capabilities of processes running within it. Office Click-to-Run components execute inside this sandbox to limit the damage a compromised process can cause. A successful exploit of CVE-2026-35436 would allow an attacker operating within the Office Click-to-Run AppContainer to break out of that sandbox and gain SYSTEM level privileges on the host.
Attack Flow
Based on the available advisory details, the exploitation path would proceed as follows:
- An attacker with low privilege local access to a system running a vulnerable version of Office Click-to-Run identifies the Click-to-Run service infrastructure.
- The attacker interacts with the Click-to-Run components in a way that exploits the insufficient access control checks. Because the access control lacks the necessary granularity, operations that should be restricted to higher privilege levels are accessible.
- Through these improperly gated operations, the attacker escalates from a sandboxed, low privilege context to SYSTEM.
- With SYSTEM privileges and an escape from the AppContainer boundary, the attacker gains full control over confidentiality, integrity, and availability of the host system.
The high impact ratings across all three CIA triad dimensions reflect the complete control an attacker would achieve.
Microsoft explicitly notes that the Preview Pane is not an attack vector for this vulnerability. This narrows the attack surface to direct local interaction with the Click-to-Run components rather than passive document rendering scenarios, which is a meaningful distinction for risk assessment.
Patch Information
Microsoft released an official fix for CVE-2026-35436 on May 12, 2026, as part of the May 2026 Patch Tuesday cycle. The MSRC advisory confirms the Remediation Level is set to "Official Fix," meaning a complete vendor solution is available. There are no publicly disclosed workarounds or hotfixes outside of the official patch.
Because Office Click-to-Run uses a streaming update mechanism rather than traditional standalone KB patches, the fix is delivered as part of the updated Office build for each servicing channel. There is no single KB article to download. Instead, administrators must verify that endpoints are running the patched build numbers or later.
The fix was applied to the Office suite component, which aligns with the vulnerability residing in the shared Click-to-Run infrastructure itself. The following products received the update, all delivered via their respective Click-to-Run update channels:
- Microsoft 365 Apps for Enterprise (32 bit and 64 bit)
- Microsoft Office LTSC 2024 (32 bit and 64 bit)
- Microsoft Office LTSC 2021 (32 bit and 64 bit)
- Microsoft Office 2019 (32 bit and 64 bit)
The specific fixed build numbers per channel are:
| Channel | Fixed Version (Build) |
|---|---|
| Current Channel | Version 2604 (Build 19929.20164) |
| Monthly Enterprise Channel | Version 2604 (Build 19929.20162) |
| Monthly Enterprise Channel | Version 2603 (Build 19822.20240) |
| Monthly Enterprise Channel | Version 2602 (Build 19725.20320) |
| Semi-Annual Enterprise Channel | Version 2508 (Build 19127.20646) |
| Office 2024 Retail | Version 2604 (Build 19929.20164) |
| Office 2021 Retail | Version 2604 (Build 19929.20164) |
| Office LTSC 2024 Volume Licensed | Version 2408 (Build 17932.20776) |
| Office LTSC 2021 Volume Licensed | Version 2108 (Build 14334.20670) |
| Office 2019 Volume Licensed | Version 1808 (Build 10417.20132) |
Verifying remediation requires confirming the exact build number running on each endpoint, not simply checking if a particular KB is installed. The build number can be verified by navigating to File > Account in any Office application and checking the version listed under "About." Organizations using Microsoft 365 Apps should ensure their update channels are current and that no devices have been deferred past these fixed builds.
Affected Systems and Versions
The vulnerability affects all Microsoft Office installations that use the Click-to-Run delivery mechanism. The specific affected products are:
- Microsoft 365 Apps for Enterprise (32 bit and 64 bit), builds prior to Version 2604 (Build 19929.20162) on Monthly Enterprise Channel, or prior to Version 2604 (Build 19929.20164) on Current Channel
- Microsoft Office LTSC 2024 (32 bit and 64 bit), builds prior to Version 2408 (Build 17932.20776) for Volume Licensed, or prior to Version 2604 (Build 19929.20164) for Retail
- Microsoft Office LTSC 2021 (32 bit and 64 bit), builds prior to Version 2108 (Build 14334.20670) for Volume Licensed, or prior to Version 2604 (Build 19929.20164) for Retail
- Microsoft Office 2019 (32 bit and 64 bit), builds prior to Version 1808 (Build 10417.20132) for Volume Licensed
The Semi-Annual Enterprise Channel is also affected for builds prior to Version 2508 (Build 19127.20646).
Traditional MSI based Office installations are not affected, as the vulnerability is specific to the Click-to-Run infrastructure.
Vendor Security History
Microsoft maintains a regular monthly security update cadence. In the May 2026 update cycle, the company addressed 120 security flaws across its product portfolio. Notably, this particular Patch Tuesday release contained no zero day vulnerabilities, meaning all 120 flaws, including CVE-2026-35436, were patched before any public disclosure or observed exploitation.
References
- NVD Entry for CVE-2026-35436
- Microsoft Security Response Center Advisory
- Microsoft 365 Apps Security Update Release Notes
- Zero Day Initiative: May 2026 Security Update Review
- BleepingComputer: Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero days
- Microsoft FY25 Q4 Productivity and Business Processes Performance



