Description
Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
Published: 2026-05-12
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap-based buffer overflow (CWE‑122) is present in Microsoft Office products, allowing an unauthorized attacker to execute code locally on the affected system. The CVE description states that the overflow can be triggered by an attacker, giving them the same privileges as the user and enabling execution of arbitrary code on the host.

Affected Systems

The vulnerability affects Microsoft 365 Apps for Enterprise, Microsoft Office 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC for Mac 2024, and Microsoft Office for Android. No specific patch levels are listed, so any installation of these products that has not yet received the latest update may be vulnerable.

Risk and Exploitability

The CVSS base score of 8.4 indicates severe potential impact. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, suggesting that widespread exploitation has not yet been observed. Based on the nature of heap overflows in Office applications, the likely attack vector is the opening or processing of a specially crafted Office document or file; this inference is made because the description indicates code execution through a heap overflow during document handling, but the exact trigger is not explicitly provided.

Generated by OpenCVE AI on May 12, 2026 at 21:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft Office security update that addresses CVE‑2026‑40363, as published in the Microsoft Security Response Center update guide.
  • Configure Office to enforce Protected View for all documents originating from untrusted sources and disable macros unless explicitly enabled by the user.
  • Monitor endpoint activity for anomalous processes that may indicate exploitation attempts and deploy endpoint detection and response tools to detect and contain potential compromise.

Generated by OpenCVE AI on May 12, 2026 at 21:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
Title Microsoft Office Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office
Microsoft office 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Weaknesses CWE-122
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office:*:*:android:*:*:*:*:*
cpe:2.3:a:microsoft:office_2016:*:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office
Microsoft office 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Office Office 2016 Office 2019 Office 2021 Office 2024 Office Macos 2021 Office Macos 2024
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-13T03:56:44.261Z

Reserved: 2026-04-11T23:06:15.614Z

Link: CVE-2026-40363

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T18:17:15.217

Modified: 2026-05-12T18:17:15.217

Link: CVE-2026-40363

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T21:30:25Z

Weaknesses