PatchSiren cyber security CVE debrief
CVE-2026-40364 Microsoft CVE debrief
CVE-2026-40364 is a high-severity type confusion vulnerability in Microsoft Office Word that enables local code execution by an unauthorized attacker. The flaw stems from improper type handling when Word processes certain document content, allowing memory corruption that can be exploited for arbitrary code execution in the context of the current user. Microsoft has assigned this a CVSS 3.1 score of 8.4, reflecting significant impact to confidentiality, integrity, and availability with a low attack complexity and no privileges required. The vulnerability affects multiple Office deployment channels including Microsoft 365 Apps for Enterprise, Office 2019, Office LTSC 2021 and 2024 (Windows and macOS), and Word 2016. Microsoft released security updates addressing this vulnerability, with the CVE record last modified on May 19, 2026. Organizations should prioritize patching given the high severity and the prevalence of Word document handling in enterprise environments.
- Vendor
- Microsoft
- Product
- Microsoft 365 Apps for Enterprise
- CVSS
- HIGH 8.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-19
Who should care
Enterprise security teams managing Microsoft Office deployments, desktop administrators responsible for patch management, and organizations with users who regularly handle Word documents from external sources should prioritize this vulnerability. The high severity score and broad product coverage across current Office versions make this a critical patching target for environments where document-based attacks are a significant threat vector.
Technical summary
This vulnerability is a type confusion issue (CWE-843) in Microsoft Word's document parsing engine, with associated heap-based buffer overflow (CWE-122) and use of uninitialized resource (CWE-908) weaknesses. The flaw occurs when Word incorrectly handles object types during document processing, leading to memory corruption. An attacker can craft a malicious document that, when opened, triggers the type confusion and achieves code execution in the security context of the opening user. The attack requires local access (AV:L) but needs no user interaction beyond opening the document and no elevated privileges. The CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates complete compromise potential for confidentiality, integrity, and availability on affected systems.
Defensive priority
HIGH
Recommended defensive actions
- Apply Microsoft security updates for affected Office versions as outlined in the vendor advisory
- Prioritize patching systems with Microsoft 365 Apps, Office 2019, Office LTSC 2021/2024, and Word 2016
- Consider implementing Microsoft Defender Application Guard or Protected View for Office documents to reduce attack surface
- Monitor for suspicious Word document activity and unexpected winword.exe child processes
- Review and restrict macro execution policies and document content from untrusted sources
Evidence notes
Vulnerability classification and affected product enumeration derived from NVD CPE data and Microsoft MSRC advisory. CVSS vector confirms local attack vector with high impact across CIA triad.
Official resources
-
CVE-2026-40364 CVE record
CVE.org
-
CVE-2026-40364 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-40364 was published in the NVD on May 12, 2026, and last modified on May 19, 2026. Microsoft has issued a security advisory with remediation guidance.