Description
Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.
Published: 2026-05-12
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an out‑of‑bounds read in Microsoft Office Excel that permits an unauthorized local attacker to read data held in memory for a given application instance. This flaw is identified as CWE‑125 and can expose sensitive information that the user has opened or is currently working on, potentially including personal data or corporate secrets. The consequence is a loss of confidentiality for any information that resides in memory when the vulnerable application is running.

Affected Systems

The affected products are Microsoft 365 Apps for Enterprise, Microsoft Excel 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC for Mac 2024, and Office Online Server. Version information was not specified in the data, so any installed build of these products may be vulnerable unless a fix has already been applied.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity impact for a local attacker, but the exploit is limited to a local context and does not provide remote code execution. The EPSS score is not available, so exact exploit likelihood cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. An attacker would need local access to the user’s account and the ability to launch the affected Office application to leverage the out‑of‑bounds read and recover memory contents.

Generated by OpenCVE AI on May 12, 2026 at 19:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install any Microsoft Office updates that address CVE-2026-40360 via Windows Update or the Office installer.
  • Restrict installation and execution rights of Office applications to trusted users only, limiting the potential data exposed to local accounts.
  • Keep detailed monitoring in place to detect anomalous memory read activity that could indicate exploitation of the out‑of‑bounds read flaw.

Generated by OpenCVE AI on May 12, 2026 at 19:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft excel
Microsoft office
Microsoft office Long Term Servicing Channel
CPEs cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*
cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_online_server:*:*:*:*:*:*:*:*
Vendors & Products Microsoft excel
Microsoft office
Microsoft office Long Term Servicing Channel

Wed, 13 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft office Online Server
Vendors & Products Microsoft office Online Server

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.
Title Microsoft Excel Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft excel 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Weaknesses CWE-125
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:excel_2016:*:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:ltsc:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft excel 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Excel Excel 2016 Office Office 2019 Office 2021 Office 2024 Office Long Term Servicing Channel Office Macos 2021 Office Macos 2024 Office Online Server
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-05T16:38:43.938Z

Reserved: 2026-04-11T23:06:15.614Z

Link: CVE-2026-40360

cve-icon Vulnrichment

Updated: 2026-05-13T10:20:21.296Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:17:14.817

Modified: 2026-05-19T18:05:18.790

Link: CVE-2026-40360

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T21:15:27Z

Weaknesses