CVE-2025-21356

CVE-2025-21356 is a remote code execution vulnerability affecting Microsoft Office Visio. The issue stems from weaknesses mapped to CWE-122 (heap-based buffer overflow) and CWE-843 (access of resource using incompatible type), with additional NVD-CWE-noinfo classification. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and was published on January 14, 2025.

An unprivileged attacker can exploit this vulnerability by tricking a user into opening a malicious Visio file on a local system, as it requires local attack vector, low complexity, no privileges, and user interaction. Successful exploitation grants high-impact remote code execution, compromising confidentiality, integrity, and availability on the targeted machine.

Microsoft's Security Response Center provides mitigation guidance in its update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21356, which security practitioners should consult for patching instructions and workarounds.