CVE-2026-25180 is a medium severity vulnerability identified in Microsoft Office for Android, specifically version 16.0.1. The root cause is an out-of-bounds read (CWE-125) in the Microsoft Graphics Component, which processes graphical data within Office documents. This vulnerability allows an attacker with local access to cause the application to read memory beyond allocated buffers, potentially disclosing sensitive information stored in adjacent memory regions. The attack requires user interaction, such as opening a maliciously crafted Office document, but does not require any privileges or authentication. The vulnerability affects confidentiality only, as it does not permit code execution, modification of data, or denial of service. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) indicates local attack vector, low complexity, no privileges required, user interaction needed, unchanged scope, and high confidentiality impact. No patches or exploits are currently publicly available, but the vulnerability is officially published and tracked. This flaw highlights the risks of processing untrusted document content on mobile platforms, where memory safety issues can lead to data leakage.

The primary impact of CVE-2026-25180 is the potential disclosure of sensitive information from the memory of Microsoft Office for Android applications. For organizations, this could mean leakage of confidential document content, credentials, or other sensitive data temporarily held in memory during document processing. Although the attack requires local access and user interaction, it could be exploited by malicious insiders or through social engineering to open crafted files. The vulnerability does not allow code execution or system compromise, limiting its impact to confidentiality breaches. However, given the widespread use of Microsoft Office on Android devices in enterprise environments, the risk of data leakage is significant. This could lead to exposure of intellectual property, personal data, or other sensitive information, potentially resulting in compliance violations, reputational damage, and financial loss. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed proactively.

1. Monitor Microsoft security advisories closely and apply official patches or updates for Microsoft Office for Android as soon as they become available. 2. Until patches are released, restrict the opening of Office documents from untrusted or unknown sources on Android devices. 3. Implement mobile device management (MDM) policies to control app installation and document handling on corporate Android devices. 4. Educate users about the risks of opening unsolicited or suspicious Office documents, emphasizing the need for caution and verification. 5. Use endpoint protection solutions capable of scanning and blocking malicious documents before they reach user devices. 6. Employ application sandboxing or containerization to limit the impact of potential memory disclosure vulnerabilities. 7. Regularly audit and monitor Android device usage and file access patterns to detect anomalous behavior that could indicate exploitation attempts. 8. Consider disabling or limiting the use of Microsoft Office on Android in high-risk environments until the vulnerability is remediated.