Description
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Published: 2026-05-12
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free flaw in Microsoft Excel that allows an unauthorized attacker to execute code locally. This flaw can compromise confidentiality, integrity, and availability by running arbitrary code with the permissions of the current user.

Affected Systems

Affected products include Microsoft 365 Apps for Enterprise, Microsoft Excel 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC for Mac 2024, and Office Online Server. No specific version range is disclosed, so any install of these products is potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.8 indicates substantial severity, and the EPSS score of 0.00062 indicates a very low but nonzero probability of exploitation. The vulnerability is not listed in CISA KEV. The heap overflow can be exploited by an attacker with local or privileged access to the system. Based on the description, it is inferred that the attack vector is local, requiring a user to open a crafted file or execute malicious code from within Excel. No public exploit has been reported, but the flaw’s nature warrants prompt mitigation.

Generated by OpenCVE AI on June 1, 2026 at 21:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Microsoft security update addressing CVE-2026-40362 to all affected Office products
  • Disable macros in Excel until a patch is applied, reducing the risk of code execution through malicious macros
  • Ensure that only trusted files are opened, and scan any downloaded documents with up‑to‑date endpoint protection before use

Generated by OpenCVE AI on June 1, 2026 at 21:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Tue, 19 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft excel
Microsoft office
Microsoft office Long Term Servicing Channel
CPEs cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*
cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_online_server:*:*:*:*:*:*:*:*
Vendors & Products Microsoft excel
Microsoft office
Microsoft office Long Term Servicing Channel

Wed, 13 May 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft office Online Server
Vendors & Products Microsoft office Online Server

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Title Microsoft Excel Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft excel 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Weaknesses CWE-122
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:excel_2016:*:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:ltsc:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft excel 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Excel Excel 2016 Office Office 2019 Office 2021 Office 2024 Office Long Term Servicing Channel Office Macos 2021 Office Macos 2024 Office Online Server
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-02T23:17:10.302Z

Reserved: 2026-04-11T23:06:15.614Z

Link: CVE-2026-40362

cve-icon Vulnrichment

Updated: 2026-05-13T09:58:59.562Z

cve-icon NVD

Status : Modified

Published: 2026-05-12T18:17:15.077

Modified: 2026-06-01T19:16:34.450

Link: CVE-2026-40362

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T21:45:22Z

Weaknesses