CVE-2026-40366

⚠️ high

🔍 Scan for this CVE

Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.

CVSS Score

8.4

High

EPSS Score

0.1

Exploit Probability

Published Date

2026-05-12

First Seen: 2026-05-20

This CVE is High Risk - more severe than 80.3% of all 321,566 vulnerabilities in our database.

#63,257

Top 25% most severe

Severity Percentile

🔍 Exploitation Status

None

No known exploits

⚙️ Automatable

Requires human interaction

💥 Technical Impact

Total

Complete system compromise possible

SSVC data provided by CISA

Last Modified 2026-05-19

Source NVD 🔗

CVSS Vector 3.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE IDs (Weakness Types)

CWE-416

📦 Affected Products 5

Vendor	Product	Status	Affected Versions
microsoft	office	Affected	v2019
microsoft	word	Affected	v2016
microsoft	365_apps	Affected	v-
microsoft	office_long_term_servicing_channel	Affected	v2021
microsoft	office_long_term_servicing_channel	Affected	v2024

Vendor Advisory

CVE ID	Severity	CVSS	EPSS	Summary	Published
CVE-2026-40421	🔶 medium	4.3	0.1	External control of file name or path in Microsoft Office Word allows an unauthorized attacker to disclose information o...	2026-05-12
CVE-2026-42831	⚠️ high	7.8	0.1	Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.	2026-05-12
CVE-2026-42832	⚠️ high	7.7	0.1	Improper access control in Microsoft Office allows an unauthorized attacker to perform spoofing locally.	2026-05-12
CVE-2026-35436	⚠️ high	8.8	0.1	Insufficient granularity of access control in Microsoft Office Click-To-Run allows an authorized attacker to elevate pri...	2026-05-12
CVE-2026-35440	🔶 medium	5.5	0.0	Files or directories accessible to external parties in Microsoft Office Word allows an unauthorized attacker to disclose...	2026-05-12
CVE-2026-40358	⚠️ high	8.4	0.1	Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.	2026-05-12

These CVEs affect the same products