CVE-2026-40367 Microsoft CVE debrief

Who should care

Microsoft 365/Office and SharePoint administrators, endpoint security teams, and vulnerability managers responsible for the listed Office, Word, or SharePoint deployments.

Technical summary

The issue is categorized as an untrusted pointer dereference in Microsoft Office Word. In the supplied metadata, NVD maps the weakness to CWE-822 and lists vulnerable CPEs covering Microsoft 365 Apps, Office 2019, Office LTSC 2021/2024, Word 2016, and SharePoint Server 2016/2019/Subscription Edition. The supported impact is code execution, with confidentiality, integrity, and availability all rated high in the CVSS vector.

Defensive priority

High — patch and validate exposure quickly for any affected Office or SharePoint deployments listed in the vendor/NVD references.

Recommended defensive actions

• Apply Microsoft’s guidance for CVE-2026-40367 from the linked MSRC advisory.
• Inventory systems running the affected Office, Word, and SharePoint versions named in the NVD CPE list.
• Prioritize remediation for supported deployments of Microsoft 365 Apps, Office 2019, Office LTSC 2021/2024, Word 2016, and SharePoint Server variants.
• Confirm patch state against the vendor advisory before closing the finding.
• Monitor for abnormal Office or SharePoint behavior during the remediation window.

Evidence notes

This debrief is based only on the supplied NVD record snapshot and the linked Microsoft advisory. The CVE was published on 2026-05-12 and modified on 2026-05-21. The official metadata shows CVSS 8.4 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), CWE-822, and Microsoft as the vendor reference. No CISA KEV entry was supplied.

Official resources