Description
Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Published: 2026-05-12
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A type confusion bug in Microsoft Office Word permits an attacker to supply a malicious document that causes the application to access a resource using an incompatible type. This flaw allows the attacker to execute arbitrary code on the victim’s machine with the user’s privileges, potentially leading to full system compromise. The vulnerability is classified as a heap‑based buffer overflow (CWE-122), type confusion (CWE-843), and potential exposure of sensitive information (CWE-908).

Affected Systems

The flaw affects Microsoft 365 Apps for Enterprise, Microsoft Office 2019, Office LTSC 2021, Office LTSC 2024, Office LTSC for Mac 2021, Office LTSC for Mac 2024, and Office 2016 Word. All versions of these products are susceptible until addressed by a Microsoft update.

Risk and Exploitability

The CVSS score of 8.4 indicates a high severity. Although no EPSS score is published and the issue is not listed in CISA’s KEV catalog, the practical attack scenario—opening a crafted Word file—makes exploitation straightforward for an attacker capable of delivering such a file. Outcomes include local code execution with the rights of the logged‑in user, giving attackers the ability to move laterally, install malware, or exfiltrate data.

Generated by OpenCVE AI on May 12, 2026 at 19:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Office security updates from Microsoft through Windows Update or the MSRC update guide.
  • Disable or restrict macro execution in Word, especially for documents from untrusted sources.
  • Ensure endpoint protection products such as antivirus or anti‑malware solutions are current and configured to scan Office files for malicious content.

Generated by OpenCVE AI on May 12, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Title Microsoft Word Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Microsoft word 2016
Weaknesses CWE-122
CWE-843
CWE-908
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:word_2016:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Microsoft word 2016
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Office 2019 Office 2021 Office 2024 Office Macos 2021 Office Macos 2024 Word 2016
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-13T03:57:30.945Z

Reserved: 2026-04-11T23:06:15.614Z

Link: CVE-2026-40364

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T18:17:15.350

Modified: 2026-05-12T18:17:15.350

Link: CVE-2026-40364

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T19:30:23Z

Weaknesses