CVE-2026-35440 Overview
CVE-2026-35440 is an information disclosure vulnerability in Microsoft Office Word. The flaw is classified under [CWE-552] (Files or Directories Accessible to External Parties). An unauthorized attacker can disclose information locally when a user opens a specially crafted document.
Exploitation requires local access and user interaction. The vulnerability impacts confidentiality but does not affect integrity or availability of the host system. Microsoft published guidance for this issue in the Microsoft Security Update CVE-2026-35440 advisory.
Critical Impact
Successful exploitation allows an attacker to read sensitive files or directories normally inaccessible, leading to local disclosure of confidential data through a malicious Word document.
Affected Products
- Microsoft Office Word (refer to the Microsoft Security Response Center advisory for affected builds)
- Microsoft 365 Apps installations that include Word
- Standalone Microsoft Office installations containing the Word component
Discovery Timeline
- 2026-05-12 - CVE-2026-35440 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-35440
Vulnerability Analysis
The vulnerability resides in how Microsoft Office Word handles files or directories that should be restricted from external parties. When Word processes a crafted document, it exposes file or directory content to an attacker context that should not have visibility into those resources.
The issue is local in scope. An attacker must convince a user to open a malicious document, typically delivered through phishing, removable media, or a shared network location. Once opened, Word leaks data that the attacker can collect without elevating privileges.
The EPSS score is 0.04% as of 2026-05-17, reflecting a low probability of opportunistic exploitation. However, targeted use in phishing campaigns remains realistic given Word's ubiquity in enterprise environments.
Root Cause
The root cause maps to [CWE-552]: Files or Directories Accessible to External Parties. Word does not adequately restrict access to local resources when processing certain document constructs. As a result, document content or referenced objects can read or reference files that should remain isolated from the document's processing scope.
Attack Vector
An attacker crafts a Word document that references restricted files or directories. The attacker delivers the document to a target through email, web download, or shared storage. When the user opens the document in a vulnerable Word version, the document retrieves or exposes content from those files. The attacker then receives the disclosed information through the document's behavior or callback mechanism.
No verified proof-of-concept code is publicly available for this vulnerability. Refer to the Microsoft Security Update CVE-2026-35440 advisory for additional technical context.
Detection Methods for CVE-2026-35440
Indicators of Compromise
- Word documents (.docx, .doc, .docm, .rtf) originating from untrusted senders that reference unexpected local file paths or UNC shares
- Outbound network connections initiated by winword.exe to unfamiliar hosts immediately after a document opens
- Unusual file read events from winword.exe accessing user profile directories, credential stores, or configuration files
Detection Strategies
- Monitor winword.exe process behavior for access to sensitive file paths outside the document's working directory
- Inspect inbound email attachments and web downloads for Word documents containing external references, embedded objects, or template injection patterns
- Correlate document open events with subsequent file access and network telemetry to surface anomalous read-and-exfiltrate sequences
Monitoring Recommendations
- Enable Microsoft Office telemetry and audit logging for document open events and template loads
- Forward endpoint process and file access telemetry to a centralized analytics platform for retrospective hunting
- Track user-reported phishing attempts that include Office documents and pivot on sender, hash, and URL indicators
How to Mitigate CVE-2026-35440
Immediate Actions Required
- Apply the Microsoft security update referenced in the Microsoft Security Update CVE-2026-35440 advisory to all systems running Microsoft Office Word
- Enable Protected View for documents originating from the internet, email attachments, and unsafe locations
- Restrict macro execution and external content loading through Group Policy for Microsoft Office
Patch Information
Microsoft has released a security update addressing CVE-2026-35440. Administrators should consult the Microsoft Security Update CVE-2026-35440 advisory to identify the specific Office build numbers and channels that contain the fix, then deploy through standard update channels such as Microsoft Update, WSUS, Intune, or Configuration Manager.
Workarounds
- Configure Office Trust Center to block documents from untrusted locations and disable automatic external content fetching
- Use Attack Surface Reduction (ASR) rules to block Office applications from creating child processes and from accessing sensitive locations
- Train users to validate document senders and to keep documents in Protected View until the source is verified
# Example: enforce Protected View via registry for Microsoft Word
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView" /v DisableInternetFilesInPV /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView" /v DisableAttachmentsInPV /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView" /v DisableUnsafeLocationsInPV /t REG_DWORD /d 0 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
