CVE-2026-40366
Microsoft · Office Word
A use-after-free vulnerability in Microsoft Office Word allows an unauthorized attacker to execute arbitrary code locally.
Executive summary
A use-after-free vulnerability in Microsoft Office Word presents a critical risk, allowing unauthorized local code execution.
Vulnerability
The software contains a use-after-free defect in memory management, which an unauthenticated attacker can leverage to execute arbitrary code.
Business impact
With a CVSS score of 8.4, this vulnerability represents a significant threat to organizational security. Successful exploitation grants the attacker the ability to execute code with the privileges of the logged-in user, potentially resulting in data loss, theft, or complete system takeover.
Remediation
Immediate Action: Apply the required security updates provided by Microsoft as detailed in the official advisory at https://aka.ms/OfficeSecurityReleases.
Proactive Monitoring: Monitor for suspicious document-handling activity and ensure that security patches are applied across all workstations running affected versions.
Compensating Controls: Utilize EDR/XDR tools to block suspicious execution chains commonly associated with Office document exploits.
Exploitation status
Public Exploit Available: No
Analyst recommendation
The severity of this vulnerability necessitates immediate action. IT teams should deploy the available patches across the environment to mitigate the risk of local code execution and ensure that security policies are strictly enforced for Office applications.