CVE-2026-40420 - Vulnerability Details

- Microsoft Office Click-To-Run Elevation of Privilege Vulnerability

Description

Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally.

Published: 2026-05-12

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A use‑after‑free condition within the Microsoft Office Click‑To‑Run component allows an authorized attacker to elevate privileges locally. By operating on memory that has already been freed, an attacker can hijack program control flow and execute actions that require higher rights, effectively bypassing standard permission checks. This vulnerability is an access‑control flaw classified as CWE‑284, potentially compromising system integrity.

Affected Systems

The vulnerability affects Microsoft 365 Apps for Enterprise, Office 2019, Office LTSC 2021, and Office LTSC 2024. Version specifics are not disclosed, so all current releases are potentially impacted until a patch is applied.

Risk and Exploitability

The CVSS base score of 8.8 indicates a high severity scenario. Although the EPSS score is less than 1% and the issue is not listed in the KEV catalogue, the flaw remains exploitable by users with local or authenticated access. The most likely attack vector is local, requiring the attacker to be authenticated or have physical access to the machine, making the vulnerability pertinent to insider threats or compromised user accounts.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Microsoft

Microsoft 365 Apps for Enterprise

affected

Version	Status	Constraints
`16.0.1`	affected	< https://aka.ms/OfficeSecurityReleases

Microsoft

Microsoft Office 2019

affected

Version	Status	Constraints
`19.0.0`	affected	< https://aka.ms/OfficeSecurityReleases

Microsoft

Microsoft Office LTSC 2021

affected

Version	Status	Constraints
`16.0.1`	affected	< https://aka.ms/OfficeSecurityReleases

Microsoft

Microsoft Office LTSC 2024

affected

Version	Status	Constraints
`16.0.0`	affected	< https://aka.ms/OfficeSecurityReleases

Configuration 1 [-]

OR	cpe:2.3:a:microsoft:365_apps:-::::enterprise::x64:*
	cpe:2.3:a:microsoft:365_apps:-::::enterprise::x86:*
	cpe:2.3:a:microsoft:office:2019::::::x64:
	cpe:2.3:a:microsoft:office:2019::::::x86:
	cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:::::-:x64:*
	cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:::::-:x86:*
	cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:::::-:x64:*
	cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:::::-:x86:*

No data.

Vendor Product Confidence Versions

Microsoft

365 Apps

95%

Version	Status	Scheme	Platform
`[16.0.1,https://aka.ms/OfficeSecurityReleases)`	affected	generic	['32-bit_systems', 'x64-based_systems']

Microsoft

Office 2019

95%

Version	Status	Scheme	Platform
`[19.0.0,https://aka.ms/OfficeSecurityReleases)`	affected	generic	['32-bit_systems', 'x64-based_systems']

Microsoft

Office 2021

95%

Version	Status	Scheme	Platform
`[16.0.1,https://aka.ms/OfficeSecurityReleases)`	affected	generic	['32-bit_systems', 'x64-based_systems']

Microsoft

Office 2024

95%

Version	Status	Scheme	Platform
`[16.0.0,https://aka.ms/OfficeSecurityReleases)`	affected	generic	['32-bit_systems', 'x64-based_systems']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the Microsoft security update that addresses CVE-2026-40420 as soon as it is released.
If the update is not yet available, enforce strict user privilege management and, where possible, disable the Click‑To‑Run feature to prevent the flaw from being exercised.
Implement continuous monitoring and audit logging for privilege escalation attempts, and regularly review access controls to ensure they align with the principle of least privilege.

Generated by OpenCVE AI on June 1, 2026 at 20:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00045.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40420

History

Mon, 01 Jun 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description	Improper access control in Microsoft Office Click-To-Run allows an authorized attacker to elevate privileges locally.	Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally.

Tue, 19 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Microsoft office Microsoft office Long Term Servicing Channel
CPEs		cpe:2.3:a:microsoft:365_apps:-::::enterprise::x64:* cpe:2.3:a:microsoft:365_apps:-::::enterprise::x86:* cpe:2.3:a:microsoft:office:2019::::::x64: cpe:2.3:a:microsoft:office:2019::::::x86: cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:::::-:x64:* cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:::::-:x86:* cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:::::-:x64:* cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:::::-:x86:*
Vendors & Products		Microsoft office Microsoft office Long Term Servicing Channel

Tue, 12 May 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 12 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		Improper access control in Microsoft Office Click-To-Run allows an authorized attacker to elevate privileges locally.
Title		Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
First Time appeared		Microsoft Microsoft 365 Apps Microsoft office 2019 Microsoft office 2021 Microsoft office 2024
Weaknesses		CWE-284
CPEs		cpe:2.3:a:microsoft:365_apps:::::enterprise:::* cpe:2.3:a:microsoft:office_2019:::::::: cpe:2.3:a:microsoft:office_2021:::::long_term_servicing_channel:::* cpe:2.3:a:microsoft:office_2024:::::long_term_servicing_channel:::*
Vendors & Products		Microsoft Microsoft 365 Apps Microsoft office 2019 Microsoft office 2021 Microsoft office 2024
References		https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40420
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C'}`

Subscriptions

Microsoft 365 Apps Office Office 2019 Office 2021 Office 2024 Office Long Term Servicing Channel

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2026-05-12T16:59:29.493Z

Updated: 2026-06-01T23:44:50.653Z

Reserved: 2026-04-13T00:27:50.799Z

Link: CVE-2026-40420

Vulnrichment

Updated: 2026-05-12T18:59:13.407Z

NVD

Status : Modified

Published: 2026-05-12T18:17:20.190

Modified: 2026-06-01T19:16:39.273

Link: CVE-2026-40420

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-01T21:00:15Z

Weaknesses

CWE-284

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object