Description
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Published: 2026-05-12
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw in Microsoft Word allows an attacker to execute arbitrary code on the local machine when a specially crafted document is processed. The flaw falls under CWE‑416 and can be triggered without external network connections, meaning the compromise is local but can provide the attacker with the privileges of the user who opens the file.

Affected Systems

The vulnerability affects multiple Microsoft Office product families, including Microsoft 365 Apps for Enterprise; Microsoft Office 2019; the long‑term servicing channel releases 2021, 2024, and their Macintosh editions; as well as Microsoft Word 2016. No specific version ranges are listed, so all builds of these applications that have not received the patch are potentially vulnerable.

Risk and Exploitability

With a CVSS score of 8.4 the flaw is considered high severity; the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, indicating no publicly known exploit samples yet. An attacker would need to deliver a malicious Word file to a target user, for example via phishing or other delivery channel. Opening the file can trigger the use‑after‑free bug, leading to arbitrary code execution on that system, which poses a significant risk for any workstation running the affected Office applications.

Generated by OpenCVE AI on May 12, 2026 at 19:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft Office security update available from the MSRC update guide to fix the use‑after‑free vulnerability.
  • Restrict the automatic opening of Word documents from external sources by adjusting the trusted document settings or by adding the files to a safe list only after verification.
  • Block potentially malicious content in Word by disabling macros and external content within the application’s security settings until the patch is in place.

Generated by OpenCVE AI on May 12, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Title Microsoft Word Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Microsoft word 2016
Weaknesses CWE-416
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:word_2016:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Microsoft word 2016
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Office 2019 Office 2021 Office 2024 Office Macos 2021 Office Macos 2024 Word 2016
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-13T03:57:27.704Z

Reserved: 2026-04-11T23:06:15.614Z

Link: CVE-2026-40366

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T18:17:15.610

Modified: 2026-05-12T18:17:15.610

Link: CVE-2026-40366

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:45:25Z

Weaknesses