CVE-2006-1540

EXPLOITED

Microsoft Office - Remote Code Execution via Malformed Document Record

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2006-1540 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including posidron.

AI-analyzed exploit summary This is a detailed technical writeup analyzing the Microsoft Office 2002 (Excel/Powerpoint/Word) vulnerability (CVE-2006-1540). It describes the BIFF file format, specific offsets in XLS/XLW files that trigger access violations, and crash analysis in OLE32.DLL and excel.exe.

Description

MSO.DLL in Microsoft Office 2000, Office XP (2002), and Office 2003 allows user-assisted attackers to cause a denial of service and execute arbitrary code via multiple attack vectors, as originally demonstrated using a crafted document record with a malformed string, as demonstrated by replacing a certain "01 00 00 00" byte sequence with an "FF FF FF FF" byte sequence, possibly causing an invalid array index, in (1) an Excel .xls document, which triggers an access violation in ole32.dll; (2) an Excel .xlw document, which triggers an access violation in excel.exe; (3) a Word document, which triggers an access violation in mso.dll in winword.exe; and (4) a PowerPoint document, which triggers an access violation in powerpnt.txt. NOTE: after the initial disclosure, this issue was demonstrated by triggering an integer overflow using an inconsistent size for a Unicode "Sheet Name" string.

Exploits (1)

exploitdb WRITEUP VERIFIED
by posidron · textdoswindows
https://www.exploit-db.com/exploits/1615

This is a detailed technical writeup analyzing the Microsoft Office 2002 (Excel/Powerpoint/Word) vulnerability (CVE-2006-1540). It describes the BIFF file format, specific offsets in XLS/XLW files that trigger access violations, and crash analysis in OLE32.DLL and excel.exe.

Classification
Writeup 90%
Attack Type
Dos
Complexity
Moderate
Reliability
Theoretical
Target: Microsoft Office 2002 (Excel/Powerpoint/Word) 10.0.2614.0 to 11.0.5612.0
No auth needed
Prerequisites: ability to modify XLS/XLW file structure
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (14)

Core 14
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/439697/100/0/threaded
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21012
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/2756
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/609868
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/27607
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/27609
Exploit, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/17252
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/18889
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA06-192A.html
Broken Link vdb-entry x_refsource_osvdb
http://www.osvdb.org/27150
Third Party Advisory vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A639
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/1615
Exploit, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1015855

Scores

EPSS 0.7034
EPSS Percentile 98.7%

Details

VulnCheck KEV 2006-07-11
CWE
CWE-94
Status published
Products (6)
microsoft/office
microsoft/office 2000 (6 CPE variants)
microsoft/office 2003 (3 CPE variants)
microsoft/office 2004
microsoft/office v.x
microsoft/office xp sp1 (3 CPE variants)
Published Mar 30, 2006
Tracked Since Feb 18, 2026