PatchSiren cyber security CVE debrief
CVE-2026-40420 Microsoft CVE debrief
CVE-2026-40420 is a high-severity local privilege escalation vulnerability in Microsoft Office Click-To-Run, published by NVD on 2026-05-12 and last modified on 2026-05-19. The flaw stems from improper access control (CWE-284) and allows an authorized attacker with local access to elevate privileges. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) indicates a local attack vector with low complexity, low privileges required, no user interaction, and scope change, resulting in high impacts to confidentiality, integrity, and availability. Affected products include Microsoft 365 Apps for Enterprise (x64 and x86), Office 2019 (x64 and x86), and Office Long Term Servicing Channel 2021 and 2024 (x64 and x86). Microsoft has issued a vendor advisory with remediation guidance. Organizations should prioritize patching through standard Microsoft update channels and review local access controls on systems running vulnerable Office installations.
- Vendor
- Microsoft
- Product
- Microsoft 365 Apps for Enterprise
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-19
Who should care
Organizations running Microsoft Office Click-To-Run deployments, particularly those with shared workstations or environments where users have local interactive access. Security teams managing endpoint privilege management and patch deployment for Microsoft 365 and Office installations.
Technical summary
Improper access control in Microsoft Office Click-To-Run enables local privilege escalation. The vulnerability requires local access and low privileges but can result in complete system compromise due to scope change and high confidentiality, integrity, and availability impacts. Affected versions span Microsoft 365 Apps for Enterprise, Office 2019, and Office Long Term Servicing Channel 2021 and 2024 across both x64 and x86 architectures.
Defensive priority
high
Recommended defensive actions
- Apply security updates from Microsoft for affected Office versions as detailed in the vendor advisory
- Prioritize patching on systems where users have local interactive access
- Review and restrict local administrative privileges on endpoints running Microsoft Office
- Monitor for anomalous privilege escalation attempts on Office Click-To-Run installations
- Verify update deployment across both x64 and x86 architectures where applicable
Evidence notes
CVE description and CVSS vector sourced from NVD record. Affected product list derived from CPE criteria in NVD source item. CWE-284 classification confirmed via NVD weaknesses field. Microsoft vendor advisory link confirmed in NVD references.
Official resources
-
CVE-2026-40420 CVE record
CVE.org
-
CVE-2026-40420 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
2026-05-12