CVE Field Guide
About Us
CVE-2026-40359
PUBLISHED
Microsoft Excel Remote Code Execution Vulnerability
Assigner:
microsoft
Reserved:
11.04.2026
Published:
12.05.2026
Updated:
13.05.2026
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Metrics
CVSS 3.1
CVSS Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
CVSS Score:
7.8
CVSS score
7.8
Attack Vector
Local
Scope
Unchanged
Attack Complexity
Low
Confidentiality Impact
High
Privileges Required
None
Integrity Impact
High
User Interaction
Required
Availability Impact
High
CVSS 3.1
Product Status
Vendor
Microsoft
Product
Microsoft 365 Apps for Enterprise
Versions
affected from 16.0.1 to https://aka.ms/OfficeSecurityReleases (excl.)
Vendor
Microsoft
Product
Microsoft Excel 2016
Versions
affected from 16.0.0.0 to 16.0.5552.1000 (excl.)
Vendor
Microsoft
Product
Microsoft Office 2019
Versions
affected from 19.0.0 to https://aka.ms/OfficeSecurityReleases (excl.)
Vendor
Microsoft
Product
Microsoft Office LTSC 2021
Versions
affected from 16.0.1 to https://aka.ms/OfficeSecurityReleases (excl.)
Vendor
Microsoft
Product
Microsoft Office LTSC 2024
Versions
affected from 16.0.0 to https://aka.ms/OfficeSecurityReleases (excl.)
Vendor
Microsoft
Product
Microsoft Office LTSC for Mac 2021
Versions
affected from 16.0.1 to 16.109.26051019 (excl.)
Vendor
Microsoft
Product
Microsoft Office LTSC for Mac 2024
Versions
affected from 16.0.0 to 16.109.26051019 (excl.)
Vendor
Microsoft
Product
Office Online Server
Versions
affected from 16.0.0.0 to 16.0.10417.20128 (excl.)
References
Microsoft Excel Remote Code Execution Vulnerability
Problem Types