PatchSiren cyber security CVE debrief
CVE-2026-40419 Microsoft CVE debrief
A use-after-free vulnerability in Microsoft Office allows an authorized attacker to elevate privileges locally. The vulnerability was published on 2026-05-12 and last modified on 2026-05-19. Microsoft has issued a vendor advisory for this issue.
- Vendor
- Microsoft
- Product
- Microsoft 365 Apps for Enterprise
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-19
Who should care
Organizations running Microsoft Office on endpoints, particularly multi-user systems or environments where users may have limited privileges that could be escalated. Security teams responsible for patch management and endpoint protection should prioritize this vulnerability due to its high severity and low exploitation barriers.
Technical summary
CVE-2026-40419 is a use-after-free vulnerability (CWE-416) in Microsoft Office that enables local privilege escalation. The vulnerability affects multiple Office versions including Microsoft 365 Apps for Enterprise, Office 2019, and Office LTSC 2021/2024 across both x64 and x86 architectures. With a CVSS score of 7.8, the issue presents a significant risk as it allows an attacker with local access and low privileges to gain elevated permissions without user interaction. The attack complexity is low, and successful exploitation can compromise confidentiality, integrity, and availability of the affected system. Organizations should prioritize applying Microsoft's security updates to remediate this vulnerability.
Defensive priority
HIGH
Recommended defensive actions
- Apply security updates from Microsoft as outlined in the MSRC advisory for CVE-2026-40419
- Prioritize patching systems running affected Office versions, particularly those with multiple users or elevated privilege requirements
- Monitor for anomalous Office process behavior that may indicate exploitation attempts
- Review and restrict local user privileges where possible to reduce attack surface
- Ensure Office installations are configured for automatic updates if organizational policy permits
Evidence notes
The vulnerability is classified as CWE-416 (Use After Free) with a CVSS 3.1 score of 7.8 (HIGH). Affected products include Microsoft 365 Apps for Enterprise (x64 and x86), Office 2019 (x64 and x86), and Office Long Term Servicing Channel 2021 and 2024 (x64 and x86). The attack vector is local (AV:L) with low attack complexity (AC:L) and low privileges required (PR:L), requiring no user interaction (UI:N). Successful exploitation can result in high impact to confidentiality, integrity, and availability.
Official resources
-
CVE-2026-40419 CVE record
CVE.org
-
CVE-2026-40419 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
Microsoft disclosed this vulnerability via the Microsoft Security Response Center (MSRC). The CVE was published on 2026-05-12 and underwent a metadata update on 2026-05-19. No known exploitation in the wild has been reported, and the issue<