Description
Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Published: 2026-05-12
Score: 8.4 High
EPSS: 4.4% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A type confusion bug in Microsoft Office Word permits an attacker to supply a malicious document that causes the application to access a resource using an incompatible type. This flaw allows the attacker to execute arbitrary code on the victim’s machine with the user’s privileges, potentially leading to full system compromise. The vulnerability is classified as a heap‑based buffer overflow (CWE-122), type confusion (CWE-843), and potential exposure of sensitive information (CWE-908).

Affected Systems

The flaw affects Microsoft 365 Apps for Enterprise, Microsoft Office 2019, Office LTSC 2021, Office LTSC 2024, Office LTSC for Mac 2021, Office LTSC for Mac 2024, and Office 2016 Word. The specific versions susceptible are not enumerated in the CVE data, but all publicly supported versions are likely impacted until a Microsoft update is applied.

Risk and Exploitability

The CVSS score of 8.4 indicates a high severity. The EPSS score of 4% indicates a relatively low but non‑zero probability of exploitation, and the issue is not listed in CISA’s KEV catalog, but the practical attack scenario—opening a crafted Word file—makes exploitation straightforward for an attacker capable of delivering such a file. Outcomes include local code execution with the rights of the logged‑in user, giving attackers the ability to move laterally, install malware, or exfiltrate data. Based on the description, the likely attack vector is inferred to be a user opening a crafted Word document, a scenario that does not require elevated privileges or network access beyond the attacker’s ability to deliver the file.

Generated by OpenCVE AI on June 18, 2026 at 08:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Office security updates from Microsoft through Windows Update or the MSRC update guide.
  • Disable or restrict macro execution in Word, especially for documents from untrusted sources.
  • Ensure endpoint protection products such as antivirus or anti‑malware solutions are current and configured to scan Office files for malicious content.

Generated by OpenCVE AI on June 18, 2026 at 08:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft office
Microsoft office Long Term Servicing Channel
Microsoft word
CPEs cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:word:2016:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:word:2016:*:*:*:*:*:x86:*
Vendors & Products Microsoft office
Microsoft office Long Term Servicing Channel
Microsoft word

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Title Microsoft Word Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Microsoft word 2016
Weaknesses CWE-122
CWE-843
CWE-908
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:word_2016:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Microsoft word 2016
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Office Office 2019 Office 2021 Office 2024 Office Long Term Servicing Channel Office Macos 2021 Office Macos 2024 Word Word 2016
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-19T16:12:17.097Z

Reserved: 2026-04-11T23:06:15.614Z

Link: CVE-2026-40364

cve-icon Vulnrichment

Updated: 2026-05-13T10:01:28.870Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:17:15.350

Modified: 2026-06-17T10:45:11.480

Link: CVE-2026-40364

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T08:15:17Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow

  • CWE-843

    Access of Resource Using Incompatible Type ('Type Confusion')

  • CWE-908

    Use of Uninitialized Resource