ThreatLevelBeta
Planned Fix

CVE-2026-40361

Remote Code Execution in Microsoft Word
Loading...

Summary

Microsoft Word has a use-after-free in its document handling code that can let an attacker execute code locally on a victim machine. Microsoft’s May 2026 security updates cover Microsoft 365 Apps, Office 2019, Office LTSC 2021/2024, Office for Mac 2021/2024, and Word 2016. The flaw can be triggered by malicious documents or previewed content and does not require authentication, and successful exploitation runs attacker-controlled code in the Word/Office process under the current user context.

Why Planned Fix?

5/6
No authentication required
Mixed internet / internal deployment
No user interaction needed
Exploitable in default configuration
No active exploitation or PoC
High impact vulnerability

Exploitation Details

Type
RCE (Remote Code Execution)
Is exploitable with default configuration?
Yes
Is authentication needed?
No
PoC / Exploit
No
Impact

Execute arbitrary code as the current user

RCE (Remote Code Execution)
Exploitation Requirements

None — vulnerable in default configuration

Exploitation Process

An attacker sends a crafted Word document or document-bearing email to the victim. When the victim previews the content in Outlook or opens it in Word, the application processes attacker-controlled document data and hits the use-after-free in Word's rendering path. If exploitation succeeds, the attacker’s code runs inside the Office process under the victim’s account.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Microsoft
ProductAffected Versions
Microsoft 365 Apps for Enterprise16.0.1 through the May 12, 2026 Office security release
Microsoft Office 201919.0.0 through the May 12, 2026 Office security release
Microsoft Office LTSC 202116.0.1 through the May 12, 2026 Office security release
Microsoft Office LTSC 202416.0.0 through the May 12, 2026 Office security release
Microsoft Office LTSC for Mac 202116.0.1 through 16.109.26051019
Microsoft Office LTSC for Mac 202416.0.0 through 16.109.26051019
Microsoft Word 201616.0.1 through 16.0.5552.1000
Description

Microsoft Word is Microsoft’s word-processing application for creating, editing, and reviewing documents, and is commonly deployed as part of Microsoft Office and Microsoft 365.

Deployment:Mixed (internet/internal)
|
Protocol:File
|
Ports:
Affected ComponentWord's document parsing and rendering code path, including preview handling when documents are rendered in Office or Outlook.

Word's document parsing and rendering code path, including preview handling when documents are rendered in Office or Outlook.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround

Not available

Patch

Not available

Update
Install the May 12, 2026 Microsoft Office security updates. Word 2016 users should apply KB5002858, and Microsoft 365 Apps, Office 2019, Office LTSC 2021/2024, and Office for Mac 2021/2024 should move to the corresponding May 12, 2026 builds listed in Microsoft’s release notes.

Install the May 12, 2026 Microsoft Office security updates. Word 2016 users should apply KB5002858, and Microsoft 365 Apps, Office 2019, Office LTSC 2021/2024, and Office for Mac 2021/2024 should move to the corresponding May 12, 2026 builds listed in Microsoft’s release notes.

learn.microsoft.com
Threat Intelligence
EPSS Score0.1%

Probability of exploitation in the next 30 days

EPSS Percentile18%

Worse than 18% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Not Listed
Active Exploitation
No Evidence
Threat Actors

No known threat actors

Detection Rules

No detection rules available

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.

CVSS Base Score

8.4
High

CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-416 Use After Free
|
NVD:CVE-2026-40361
|
Version From:
|
Version Upto:

Sources

6
SourceArticle
learn.microsoft.comRelease notes for Microsoft Office security updates
learn.microsoft.comRelease notes for Office for Mac
support.microsoft.comWord 2016 security update KB5002858
vulnerability.circl.luCVE-2026-40361 vulnerability lookup
www.tenable.comCVE-2026-40361
www.securityweek.comMicrosoft patches critical zero-click Outlook vulnerability threatening enterprises

Priority History

Planned FixLoading...

Initial analysis

Fix SoonLoading...

Elevated — new exploitation evidence confirmed