PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40366 Microsoft CVE debrief

CVE-2026-40366 is a use-after-free vulnerability in Microsoft Office Word that allows an unauthorized attacker to execute code locally. The vulnerability was published in the NVD on May 12, 2026, with a subsequent modification on May 19, 2026. Microsoft has assigned this a CVSS 3.1 score of 8.4 (HIGH), with the vector indicating local attack vector, low attack complexity, no privileges required, no user interaction, and high impact across confidentiality, integrity, and availability. The root cause is CWE-416 (Use After Free), a memory safety issue where a program continues to use a pointer after the memory it references has been freed. This vulnerability affects multiple Microsoft Office product lines including Microsoft 365 Apps for Enterprise (x64 and x86), Office 2019 (x64 and x86), Office Long Term Servicing Channel 2021 and 2024 (x64, x86, and macOS), and Word 2016 (x64 and x86). The broad product coverage suggests this vulnerability exists in shared code components across Microsoft's Office suite. As a local code execution vulnerability with high severity, this poses significant risk in scenarios where an attacker has already gained initial access to a system and seeks to escalate privileges or establish persistence. Organizations should prioritize patching based on their deployment of affected Office versions, with particular attention to environments where Office documents are processed from untrusted sources.

Vendor
Microsoft
Product
Microsoft 365 Apps for Enterprise
CVSS
HIGH 8.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-12
Original CVE updated
2026-05-19
Advisory published
2026-05-12
Advisory updated
2026-05-19

Who should care

Organizations running affected Microsoft Office versions, particularly those with document-centric workflows, BYOD environments, or security boundaries relying on user privilege separation. Security teams should prioritize this for patch management cycles given the HIGH severity and broad product coverage.

Technical summary

This vulnerability is a use-after-free (CWE-416) in Microsoft Office Word's memory management. When Word processes certain document content, improper handling of object lifecycles can result in a pointer referencing freed memory. An attacker who can cause Word to process a maliciously crafted document can trigger this condition to execute arbitrary code in the context of the Word process. The attack requires local access (AV:L) but needs no user interaction or privileges, making it suitable for privilege escalation chains. The vulnerability affects shared components across Office 2021 LTSC, Office 2024 LTSC, Microsoft 365 Apps, Office 2019, and Word 2016 on Windows and macOS platforms.

Defensive priority

HIGH

Recommended defensive actions

  • Apply security updates from Microsoft as soon as available for all affected Office versions in your environment
  • Prioritize patching systems where Office documents from external sources are regularly processed
  • Consider implementing Microsoft Defender Application Guard or similar sandboxing for Office documents in high-risk scenarios
  • Review and restrict macro execution policies and document opening behaviors from untrusted sources
  • Monitor for anomalous Word process behavior including unexpected child processes or network connections
  • Ensure Microsoft Office installations are configured for automatic updates where organizational policy permits
  • For Word 2016 and Office 2019 deployments, verify Extended Support status and migration timelines given end-of-life considerations

Evidence notes

Vulnerability description and CVSS scoring derived from NVD record. Affected product list extracted from CPE criteria in source metadata. CWE-416 classification confirmed via NVD weaknesses field. Vendor advisory reference confirmed via source metadata references.

Official resources

2026-05-12