PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40418 Microsoft CVE debrief

CVE-2026-40418 is a use-after-free vulnerability in Microsoft Office Click-To-Run that allows an authorized attacker to elevate privileges locally. The vulnerability was published on May 12, 2026, and last modified on May 19, 2026. It carries a CVSS 3.1 score of 7.8 (HIGH severity) with the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local attack vector, low attack complexity, low privileges required, no user interaction, and high impacts to confidentiality, integrity, and availability. The root cause is classified as CWE-416 (Use After Free). Affected products include Microsoft 365 Apps for Enterprise (x64 and x86), Office 2019 (x64 and x86), and Office Long Term Servicing Channel 2021 and 2024 (x64 and x86). Microsoft has issued a vendor advisory with remediation guidance. Organizations should prioritize patching given the high severity and local privilege escalation potential, particularly on multi-user systems where lower-privileged accounts may attempt elevation.

Vendor
Microsoft
Product
Microsoft 365 Apps for Enterprise
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-12
Original CVE updated
2026-05-19
Advisory published
2026-05-12
Advisory updated
2026-05-19

Who should care

System administrators managing Microsoft Office deployments, security teams responsible for endpoint protection, and organizations with strict privilege separation requirements on Windows workstations

Technical summary

A use-after-free condition in Microsoft Office Click-To-Run permits an attacker with local access and low privileges to escalate to higher privilege levels without user interaction. The vulnerability affects multiple Office deployment channels including Microsoft 365 Apps for Enterprise, Office 2019, and Office Long Term Servicing Channel 2021 and 2024 across both x86 and x64 architectures. The CVSS 3.1 score of 7.8 reflects significant security impact with high confidentiality, integrity, and availability consequences. Remediation is available through Microsoft's security update mechanism.

Defensive priority

high

Recommended defensive actions

  • Apply security updates from Microsoft for affected Office versions as referenced in the vendor advisory
  • Prioritize patching on multi-user workstations and systems where least-privilege separation is critical
  • Monitor for anomalous Office Click-To-Run process behavior that may indicate exploitation attempts
  • Review user account permissions to minimize exposure to local privilege escalation vectors
  • Validate patch deployment across all affected architectures (x86 and x64) and Office deployment channels

Evidence notes

Vulnerability details sourced from NVD with vendor advisory from Microsoft Security Response Center. CVSS vector and affected product list derived from official CPE criteria. CWE-416 classification confirmed via NVD weakness data.

Official resources

official