PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40362 Microsoft CVE debrief

A heap-based buffer overflow vulnerability in Microsoft Office Excel allows local code execution by an unauthorized attacker. The vulnerability was published on May 12, 2026, and last modified on May 19, 2026. Microsoft has issued a vendor advisory for this vulnerability.

Vendor
Microsoft
Product
Microsoft 365 Apps for Enterprise
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-12
Original CVE updated
2026-05-19
Advisory published
2026-05-12
Advisory updated
2026-05-19

Who should care

Organizations running affected Microsoft Office versions, particularly those with users who regularly open Excel documents from external or untrusted sources. Security teams should prioritize patching due to the HIGH severity rating and potential for complete system compromise through local code execution.

Technical summary

CVE-2026-40362 is a heap-based buffer overflow (CWE-122) in Microsoft Office Excel. The vulnerability allows an unauthorized attacker to execute arbitrary code locally when a user opens a maliciously crafted Excel file. The attack requires local access and user interaction (opening a file), with low attack complexity. Successful exploitation results in high impact to confidentiality, integrity, and availability. The vulnerability affects multiple Office product lines including Microsoft 365 Apps Enterprise, Excel 2016, Office 2019, Office LTSC 2021/2024 (Windows and macOS), and Office Online Server. Microsoft has provided a vendor advisory with remediation information.

Defensive priority

HIGH

Recommended defensive actions

  • Apply security updates from Microsoft as referenced in the MSRC advisory for CVE-2026-40362
  • Prioritize patching systems running affected Office versions, particularly those processing untrusted Excel documents
  • Implement application control policies to restrict execution of untrusted Office macros and add-ins
  • Enable Attack Surface Reduction (ASR) rules in Microsoft Defender for Endpoint to block Office child processes
  • Consider deploying Microsoft Defender Application Guard for Office to isolate untrusted documents
  • Review and restrict user permissions to reduce attack surface for local exploitation
  • Monitor for suspicious Excel process behavior including unexpected child processes or memory anomalies

Evidence notes

The vulnerability is classified as CWE-122 (Heap-based Buffer Overflow) per Microsoft's submission. CVSS 3.1 vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Affected products include Microsoft 365 Apps (Enterprise), Excel 2016, Office 2019, Office Long Term Servicing Channel 2021 and 2024 (Windows x64/x86 and macOS), and Office Online Server versions prior to 16.0.10417.20128.

Official resources

Microsoft disclosed this vulnerability via the Microsoft Security Response Center (MSRC). The CVE was published on May 12, 2026, with a subsequent modification on May 19, 2026.