CVE-2026-40367

Microsoft · Office Word

An untrusted pointer dereference vulnerability in Microsoft Office Word allows an unauthorized attacker to execute arbitrary code locally.

Executive summary

An untrusted pointer dereference vulnerability in Microsoft Office Word poses a severe risk of local code execution for users on multiple versions of the software.

Vulnerability

This vulnerability involves an untrusted pointer dereference, which can be triggered by an attacker to achieve local code execution. The vulnerability is exploitable by an unauthenticated local user.

Business impact

The vulnerability carries a CVSS score of 8.4, indicating a high level of risk. Successful exploitation could lead to full system compromise, unauthorized data access, and potential lateral movement within the enterprise environment.

Remediation

Immediate Action: Apply the latest security updates provided by Microsoft via the official update guide at https://aka.ms/OfficeSecurityReleases.

Proactive Monitoring: Monitor endpoint security logs for unusual process spawning behavior or unexpected crashes in Microsoft Office applications.

Compensating Controls: Ensure that Endpoint Detection and Response (EDR) solutions are active and configured to detect malicious document behavior.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Given the high CVSS score and the critical nature of code execution vulnerabilities in productivity software, organizations must prioritize the deployment of the vendor-supplied patches. Administrators should verify that all affected systems are updated to the latest build versions immediately to eliminate the attack surface.