Description
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
Published: 2026-05-12
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The updated vulnerability description indicates a use‑after‑free flaw (CWE‑416) in Microsoft Office that enables an attacker to execute code locally. When a malicious document is opened, the program accesses a memory region that has already been freed, causing memory corruption and allowing the attacker to run arbitrary code with the privileges of the current user.

Affected Systems

Affected products include Microsoft 365 Apps for Enterprise, Microsoft Office 2019, Office LTSC 2021, Office LTSC 2024, Office LTSC for Mac 2021, Office LTSC for Mac 2024, and Microsoft Word 2016. Version information is not specified in the advisories, so all currently released versions of these products are considered at risk.

Risk and Exploitability

The CVSS score of 8.4 indicates high severity. The EPSS score of < 1% indicates a very low but existing exploitation probability. The vulnerability is not listed in the CISA KEV catalog, suggesting no widely released exploit at this time. Based on the description, the likely attack vector is local, requiring the victim to open a malicious document; however, after exploitation the attacker can run code with the user’s privileges. Immediate patching is advised to mitigate the potential for a severe compromise.

Generated by OpenCVE AI on June 3, 2026 at 04:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security updates for Microsoft Word and Office products through Microsoft Update or the vendor’s patch portal.
  • Restrict the opening of Office documents from untrusted sources by using file‑type filtering or a document sandbox until a patch is applied.
  • Configure macro security to the highest level or disable macros entirely if they are not required for legitimate business processes.

Generated by OpenCVE AI on June 3, 2026 at 04:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally. Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
Title Microsoft Word Remote Code Execution Vulnerability Microsoft Outlook and Word Remote Code Execution Vulnerability

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.

Tue, 19 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft office
Microsoft office Long Term Servicing Channel
Microsoft word
CPEs cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:word:2016:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:word:2016:*:*:*:*:*:x86:*
Vendors & Products Microsoft office
Microsoft office Long Term Servicing Channel
Microsoft word

Tue, 12 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Title Microsoft Word Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Microsoft word 2016
Weaknesses CWE-416
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:word_2016:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Microsoft word 2016
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Office Office 2019 Office 2021 Office 2024 Office Long Term Servicing Channel Office Macos 2021 Office Macos 2024 Word Word 2016
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-02T23:17:38.373Z

Reserved: 2026-04-11T23:06:15.614Z

Link: CVE-2026-40361

cve-icon Vulnrichment

Updated: 2026-05-12T19:34:40.004Z

cve-icon NVD

Status : Modified

Published: 2026-05-12T18:17:14.950

Modified: 2026-06-03T00:16:38.233

Link: CVE-2026-40361

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T04:15:24Z

Weaknesses