CVE-2026-40421 Microsoft CVE debrief

Who should care

Organizations running Microsoft Office 2016, 2019, 2021 LTSC, 2024 LTSC, or Microsoft 365 Apps for Enterprise; security teams responsible for endpoint protection and patch management; users handling documents from external or untrusted sources

Technical summary

The vulnerability exists in Microsoft Office Word's handling of file names or paths, where insufficient validation allows an attacker to influence file operations. When a user opens a crafted document, the application may access attacker-controlled paths, leading to information disclosure over the network. The attack requires user interaction (opening a malicious file) but does not require privileges. The confidentiality impact is rated low per CVSS, with no integrity or availability impact. Multiple Office and Word versions across x86 and x64 architectures are affected.

Defensive priority

medium

Recommended defensive actions

• Apply security updates from Microsoft as referenced in the vendor advisory for affected Office and Word versions
• Restrict macro execution and external content in Word via Group Policy or application settings
• Educate users on phishing risks and safe handling of documents from untrusted sources
• Monitor for suspicious network activity from Office applications indicating potential information exfiltration

Evidence notes

Vulnerability description and CVSS vector sourced from NVD record with vendor advisory from Microsoft Security Response Center. CWE-73 classification confirmed via NVD weaknesses field. Affected product list derived from CPE criteria in NVD source data. No KEV entry present per source enrichment data.

Official resources