CVE-2026-40367
Microsoft · Office Word
An untrusted pointer dereference vulnerability in Microsoft Office Word allows an unauthorized attacker to execute arbitrary code locally.
Executive summary
An untrusted pointer dereference vulnerability in Microsoft Office Word poses a severe risk of local code execution for users on multiple versions of the software.
Vulnerability
This vulnerability involves an untrusted pointer dereference, which can be triggered by an attacker to achieve local code execution. The vulnerability is exploitable by an unauthenticated local user.
Business impact
The vulnerability carries a CVSS score of 8.4, indicating a high level of risk. Successful exploitation could lead to full system compromise, unauthorized data access, and potential lateral movement within the enterprise environment.
Remediation
Immediate Action: Apply the latest security updates provided by Microsoft via the official update guide at https://aka.ms/OfficeSecurityReleases.
Proactive Monitoring: Monitor endpoint security logs for unusual process spawning behavior or unexpected crashes in Microsoft Office applications.
Compensating Controls: Ensure that Endpoint Detection and Response (EDR) solutions are active and configured to detect malicious document behavior.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the high CVSS score and the critical nature of code execution vulnerabilities in productivity software, organizations must prioritize the deployment of the vendor-supplied patches. Administrators should verify that all affected systems are updated to the latest build versions immediately to eliminate the attack surface.