CVE-2026-35436

High

Published: 12 May 2026

Published

12 May 2026

Modified

12 May 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score N/A

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35436 is a high-severity Insufficient Granularity of Access Control (CWE-1220) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, it is not currently listed in the CISA KEV catalog.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-16 Security and Privacy Attributes

addresses: CWE-1220

Use of granular security and privacy attributes enables finer access control than coarse permission models alone.

CA-9 Internal System Connections

addresses: CWE-1220

Documenting interface characteristics enables more granular control over internal access.

SA-17 Developer Security and Privacy Architecture and Design

addresses: CWE-1220

Requires the architecture to describe granularity and placement of controls, preventing insufficiently fine-grained access decisions.

SC-2 Separation of System and User Functionality

addresses: CWE-1220

Provides the necessary granularity by placing system management functions outside the reach of user-level access controls.

SC-3 Security Function Isolation

addresses: CWE-1220

Isolation supplies an explicit, enforceable granularity boundary between security and non-security functions that coarser access-control schemes lack.

NVD Description

Insufficient granularity of access control in Microsoft Office Click-To-Run allows an authorized attacker to elevate privileges locally.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-1220

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35436
secure@microsoft.com