CVE-2026-20955 is a vulnerability classified under CWE-822 (Untrusted Pointer Dereference) affecting Microsoft Office Online Server, specifically the Excel component. The flaw arises when the software dereferences pointers that have not been properly validated or sanitized, allowing an attacker to manipulate pointer references to execute arbitrary code locally. This vulnerability does not require elevated privileges but does require user interaction, such as opening a malicious Excel file or triggering a specific action within the Office Online Server environment. The CVSS 3.1 base score is 7.8, indicating high severity, with attack vector Local (AV:L), attack complexity Low (AC:L), no privileges required (PR:N), and user interaction required (UI:R). The scope is unchanged (S:U), and the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). This means an attacker can fully compromise the affected system, potentially leading to data theft, system manipulation, or denial of service. The vulnerability was published on January 13, 2026, with no known exploits in the wild at the time of reporting. The affected version is 16.0.0.0 of Office Online Server. The vulnerability is critical for environments where Office Online Server is deployed, especially in enterprise and government sectors that rely on Excel for data processing and collaboration. The lack of available patches at the time of disclosure necessitates immediate risk mitigation strategies.

For European organizations, this vulnerability poses a significant risk due to the widespread use of Microsoft Office Online Server in enterprise, government, and critical infrastructure sectors. Successful exploitation could lead to local code execution, allowing attackers to gain unauthorized access to sensitive data, manipulate or corrupt information, and disrupt business operations. The high impact on confidentiality, integrity, and availability means that data breaches, operational downtime, and potential regulatory non-compliance (e.g., GDPR) are possible consequences. Organizations in sectors such as finance, healthcare, public administration, and energy are particularly vulnerable due to the critical nature of their data and services. The requirement for local access and user interaction somewhat limits remote exploitation but does not eliminate risk, especially in environments where insider threats or compromised endpoints exist. The absence of known exploits currently provides a window for proactive defense, but the high severity score demands urgent attention.

1. Restrict local access to systems running Microsoft Office Online Server to trusted personnel only and enforce strict access controls. 2. Educate users about the risks of opening untrusted Excel files or interacting with suspicious content within Office Online Server environments. 3. Implement application whitelisting and endpoint protection solutions to detect and block attempts to exploit pointer dereference vulnerabilities. 4. Monitor logs and system behavior for unusual activities indicative of exploitation attempts, such as unexpected process executions or memory access violations. 5. Isolate Office Online Server instances within segmented network zones to limit lateral movement in case of compromise. 6. Prepare for patch deployment by maintaining an inventory of affected systems and testing updates in controlled environments. 7. Engage with Microsoft support channels to obtain patches or workarounds as soon as they become available. 8. Employ regular vulnerability scanning and penetration testing focused on Office Online Server deployments to identify and remediate weaknesses proactively.