PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40360 Microsoft CVE debrief

CVE-2026-40360 is a high-severity out-of-bounds read vulnerability in Microsoft Office Excel, published by NVD on 2026-05-12 and last modified on 2026-05-19. The vulnerability allows an unauthorized attacker to disclose information locally, with a CVSS 3.1 score of 7.8 (HIGH). The attack vector is local, requiring low attack complexity and no privileges, but does require user interaction. The vulnerability is rooted in CWE-125 (Out-of-bounds Read) and affects multiple Microsoft Office and Excel product lines including Microsoft 365 Apps Enterprise (x64 and x86), Excel 2016 (x64 and x86), Office 2019 (x64 and x86), Office Long Term Servicing Channel 2021 and 2024 (x64, x86, and macOS), and Office Online Server versions prior to 16.0.10417.20128. Microsoft has issued a vendor advisory addressing this vulnerability. Organizations should prioritize patching affected Excel and Office installations, particularly those in enterprise environments where local information disclosure could expose sensitive business data. The user interaction requirement suggests potential exploitation through malicious document files, reinforcing the need for security awareness training and email filtering controls.

Vendor
Microsoft
Product
Microsoft 365 Apps for Enterprise
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-12
Original CVE updated
2026-05-19
Advisory published
2026-05-12
Advisory updated
2026-05-19

Who should care

Enterprise security teams managing Microsoft Office deployments, desktop administrators responsible for patch management, organizations with strict data loss prevention requirements, and security operations centers monitoring for Office-based attack vectors.

Technical summary

Out-of-bounds read (CWE-125) in Microsoft Office Excel parsing/handling code. Local attack vector with user interaction requirement. Successful exploitation results in information disclosure to unauthorized local attacker. CVSS 3.1: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Defensive priority

high

Recommended defensive actions

  • Apply Microsoft security updates for affected Office and Excel versions as provided in the vendor advisory
  • Prioritize patching systems running Office Long Term Servicing Channel 2021 and 2024, Excel 2016, Office 2019, and Microsoft 365 Apps Enterprise
  • For Office Online Server deployments, ensure update to version 16.0.10417.20128 or later
  • Implement email and web filtering to reduce likelihood of user interaction with malicious Excel documents
  • Review and restrict local user privileges where possible to limit information disclosure impact
  • Monitor for anomalous Excel process behavior indicating potential exploitation attempts

Evidence notes

Vulnerability description and CVSS scoring derived from official NVD record. Affected product enumeration based on CPE criteria from NVD source data. CWE-125 classification confirmed via NVD weaknesses field. Vendor advisory status confirmed through Microsoft MSRC reference.

Official resources

2026-05-12