Description
Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally.
Published: 2026-05-12
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free flaw in Microsoft Office’s Click‑To‑Run deployment that allows an authorized local user to gain higher privileges on the affected machine. Because the flaw involves memory corruption, a successful exploitation could bypass the user’s original access level, compromising confidentiality, integrity, or availability of the system. The weakness is identified as CWE‑416.

Affected Systems

Affected products include Microsoft 365 Apps for Enterprise, Microsoft Office 2019, Microsoft Office LTSC 2021, and Microsoft Office LTSC 2024. The CVE description does not specify sub‑versions, so any installation of these products is potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity. EPSS is not available, so the current exploitation probability is unknown, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be local, requiring an authorized user to have access to the machine. If the flaw is exploited, the attacker can elevate privileges locally, potentially allowing lateral movement in the environment or full control over the affected system.

Generated by OpenCVE AI on May 12, 2026 at 20:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the security update for CVE-2026‑40419 from the Microsoft Security Update Guide.
  • If the update is not immediately available, consider re‑deploying Office using the MSI channel or disabling the Click‑To‑Run feature as a temporary measure.
  • Restrict execution permissions on Office binaries for non‑administrator users until the patch is applied.

Generated by OpenCVE AI on May 12, 2026 at 20:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally.
Title Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Weaknesses CWE-416
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Office 2019 Office 2021 Office 2024
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-13T03:56:46.631Z

Reserved: 2026-04-13T00:27:50.799Z

Link: CVE-2026-40419

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T18:17:20.070

Modified: 2026-05-12T18:17:20.070

Link: CVE-2026-40419

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T21:15:27Z

Weaknesses