PatchSiren cyber security CVE debrief
CVE-2026-40359 Microsoft CVE debrief
A use-after-free vulnerability in Microsoft Office Excel enables local code execution by an unauthorized attacker. The flaw (CWE-416) affects multiple Office deployment channels including Microsoft 365 Apps Enterprise, Office 2016, 2019, and Long Term Servicing Channel versions 2021 and 2024 across Windows (x64/x86) and macOS platforms, as well as Office Online Server prior to version 16.0.10417.20128. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates local attack vector with low complexity, requiring no privileges but user interaction, yielding high impact on confidentiality, integrity, and availability. Published 2026-05-12 and last modified 2026-05-19. No KEV listing or known ransomware campaign use is documented.
- Vendor
- Microsoft
- Product
- Microsoft 365 Apps for Enterprise
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-19
Who should care
Organizations with Microsoft Office deployments, particularly those using Office Online Server or managing enterprise Office installations. Security teams responsible for endpoint protection and patch management. Users handling documents from external or untrusted sources.
Technical summary
The vulnerability stems from improper memory management in Excel where a freed object is subsequently referenced, allowing an attacker to corrupt memory and execute arbitrary code in the context of the current user. Attack requires local access and user interaction, typically through opening a maliciously crafted document. Affects broad Office install base including LTSC 2021/2024, Microsoft 365 Apps Enterprise, Office 2016/2019, and Office Online Server installations.
Defensive priority
HIGH
Recommended defensive actions
- Apply security updates from Microsoft for affected Office versions per vendor advisory guidance
- Prioritize patching for systems running Office Online Server and enterprise-managed Office deployments
- Review and restrict macro execution policies and document handling from untrusted sources
- Monitor for anomalous Excel process behavior indicating potential exploitation attempts
- Validate endpoint detection coverage for memory corruption indicators in Office applications
Evidence notes
Vulnerability classification and affected product enumeration derived from NVD CPE criteria and Microsoft MSRC reference. CVSS scoring and CWE-416 classification sourced from official vulnerability database records.
Official resources
-
CVE-2026-40359 CVE record
CVE.org
-
CVE-2026-40359 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
Microsoft disclosed this vulnerability through their Security Response Center with vendor advisory guidance.