PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40363 Microsoft CVE debrief

CVE-2026-40363 is a Microsoft Office heap-based buffer overflow that can allow an unauthorized attacker to execute code locally. NVD lists the issue as analyzed and rates it HIGH with a CVSS 3.1 score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The affected products include Microsoft 365 Apps, Office 2016, Office 2019, and Office Long Term Servicing Channel 2021 and 2024 variants across the listed architectures and macOS entries. Because the vulnerability is local in attack vector but can lead to full confidentiality, integrity, and availability impact, organizations should treat patching as high priority for managed endpoints running the affected Office builds. Microsoft’s MSRC advisory is the primary vendor reference, and the CVE was published on 2026-05-12 and last modified on 2026-05-19 in the supplied corpus.

Vendor
Microsoft
Product
Microsoft 365 Apps for Enterprise
CVSS
HIGH 8.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-12
Original CVE updated
2026-05-19
Advisory published
2026-05-12
Advisory updated
2026-05-19

Who should care

Microsoft 365 and Office administrators, endpoint security teams, IT patch managers, and users of affected Office 2016/2019/LTSC/365 Apps deployments should care. This is especially relevant for organizations that allow local execution of untrusted content or have broad Office installation footprints across Windows and macOS systems.

Technical summary

The vulnerability is identified as CWE-122 (heap-based buffer overflow). NVD’s CVSS vector indicates a local attack path (AV:L) with no privileges or user interaction required in the scoring model, and potential impact to confidentiality, integrity, and availability. The NVD CPE list marks Microsoft 365 Apps, Office 2016, Office 2019, and Office LTSC 2021/2024 variants as vulnerable; the Office for Android entry is also listed with an affected version boundary in the supplied data.

Defensive priority

High. The score is 8.4 and the potential impact is complete compromise of local Office execution context. Even though the attack vector is local, Office is a high-value endpoint target and typically present on many managed systems, so remediation should be scheduled promptly after vendor guidance is reviewed.

Recommended defensive actions

  • Review Microsoft’s advisory for CVE-2026-40363 and apply the recommended Office updates.
  • Prioritize patch deployment to endpoints running Microsoft 365 Apps, Office 2016/2019, and Office LTSC 2021/2024 as listed by NVD.
  • Verify Office versions and architectures in your asset inventory to identify exposed systems.
  • Use standard endpoint protections and software restriction controls to reduce the risk from local code execution paths.
  • Monitor Microsoft Update Guide and NVD for any additional affected builds or clarification to the fixed versions.

Evidence notes

Evidence is limited to the supplied official corpus: the NVD CVE record and Microsoft’s MSRC advisory reference. NVD marks the vulnerability as analyzed, publishes the CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and lists CWE-122. The provided enrichment does not mark the CVE as KEV and does not indicate known ransomware campaign use.

Official resources

Publicly disclosed in the supplied corpus on 2026-05-12 and last modified on 2026-05-19. No KEV listing or known ransomware campaign use is indicated in the provided data.