CVE Field Guide
About Us
CVE-2026-40366
PUBLISHED
Microsoft Word Remote Code Execution Vulnerability
Assigner:
microsoft
Reserved:
11.04.2026
Published:
12.05.2026
Updated:
13.05.2026
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Metrics
CVSS 3.1
CVSS Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
CVSS Score:
8.4
CVSS score
8.4
Attack Vector
Local
Scope
Unchanged
Attack Complexity
Low
Confidentiality Impact
High
Privileges Required
None
Integrity Impact
High
User Interaction
None
Availability Impact
High
CVSS 3.1
Product Status
Vendor
Microsoft
Product
Microsoft 365 Apps for Enterprise
Versions
affected from 16.0.1 to https://aka.ms/OfficeSecurityReleases (excl.)
Vendor
Microsoft
Product
Microsoft Office 2019
Versions
affected from 19.0.0 to https://aka.ms/OfficeSecurityReleases (excl.)
Vendor
Microsoft
Product
Microsoft Office LTSC 2021
Versions
affected from 16.0.1 to https://aka.ms/OfficeSecurityReleases (excl.)
Vendor
Microsoft
Product
Microsoft Office LTSC 2024
Versions
affected from 16.0.0 to https://aka.ms/OfficeSecurityReleases (excl.)
Vendor
Microsoft
Product
Microsoft Office LTSC for Mac 2021
Versions
affected from 16.0.1 to 16.109.26051019 (excl.)
Vendor
Microsoft
Product
Microsoft Office LTSC for Mac 2024
Versions
affected from 16.0.0 to 16.109.26051019 (excl.)
Vendor
Microsoft
Product
Microsoft Word 2016
Versions
affected from 16.0.1 to 16.0.5552.1000 (excl.)
References
Microsoft Word Remote Code Execution Vulnerability
Problem Types