CVE-2026-40361 Microsoft CVE debrief

Who should care

Organizations running Microsoft Office environments, particularly those with mixed-version deployments of Office 2016, 2019, 2021 LTSC, 2024 LTSC, or Microsoft 365 Apps Enterprise. Security teams responsible for endpoint protection and patch management should prioritize this vulnerability due to its high impact potential and the ubiquity of Word in enterprise document workflows.

Technical summary

The vulnerability stems from improper memory management in Microsoft Word where a use-after-free condition (CWE-416) can be triggered. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates that while the attack vector is local, the exploitation requires no privileges or user interaction, yielding complete compromise of the affected system. The broad version scope—including both x86 and x64 architectures across Windows and macOS platforms—suggests the underlying code flaw exists in shared document parsing or rendering components.

Defensive priority

HIGH

Recommended defensive actions

• Apply security updates from Microsoft as outlined in the vendor advisory for affected Office and Word versions
• Prioritize patching systems running Office LTSC 2021, Office LTSC 2024, and Microsoft 365 Apps Enterprise
• Review endpoint detection configurations for Word process anomalies indicative of memory corruption exploitation
• Consider Microsoft Defender Application Guard or Protected View for documents from untrusted sources
• Monitor for unexpected Word process crashes or abnormal child process spawning
• resourceLinkAnnotations: ref-4

Evidence notes

CWE-416 (Use After Free) is the primary weakness type. CVSS vector indicates local attack vector with low attack complexity, no privileges required, and no user interaction needed—resulting in high impacts to confidentiality, integrity, and availability.

Official resources