PatchSiren cyber security CVE debrief

CVE-2026-35440 Microsoft CVE debrief

CVE-2026-35440 is a medium-severity information disclosure vulnerability in Microsoft Office Word, published on 2026-05-12 and last modified on 2026-05-19. The vulnerability stems from files or directories being accessible to external parties, allowing an unauthorized attacker to disclose information locally. The CVSS 3.1 score of 5.5 reflects local attack vector, low attack complexity, no privileges required, but user interaction required, with high impact to confidentiality and no impact to integrity or availability. Microsoft has assigned CWE-552 (Files or Directories Accessible to External Parties) as the primary weakness. The vulnerability affects multiple Microsoft Office product lines including Microsoft 365 Apps for Enterprise (x64 and x86), Office 2019 (x64 and x86), Office Long Term Servicing Channel 2021 and 2024 (x64 and x86), and Word 2016 (x64 and x86). As this is a local information disclosure issue requiring user interaction, exploitation would likely involve social engineering to convince a user to open a malicious document or interact with a compromised file in a way that exposes sensitive local information. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. Organizations should apply security updates from Microsoft as they become available and follow Microsoft's guidance for the affected products.