CVE-2026-40360: Microsoft Excel Information Disclosure

CVE-2026-40360 Overview

CVE-2026-40360 is an out-of-bounds read vulnerability [CWE-125] in Microsoft Office Excel. The flaw allows an unauthorized attacker to disclose information locally when a user opens a specially crafted spreadsheet. Exploitation requires user interaction, typically opening a malicious Excel file delivered through phishing or another social engineering vector.

Microsoft published the advisory on the Microsoft Security Response Center portal. The vulnerability impacts confidentiality, integrity, and availability of the affected host once a crafted document is opened by the targeted user.

Critical Impact

Successful exploitation reads memory outside allocated buffers, enabling local information disclosure that can leak sensitive process memory and aid follow-on code execution.

Affected Products

• Microsoft Office Excel (see Microsoft advisory for affected build ranges)
• Microsoft 365 Apps installations including Excel
• Standalone Microsoft Office distributions containing Excel

Discovery Timeline

• 2026-05-12 - CVE-2026-40360 published to NVD
• 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-40360

Vulnerability Analysis

The vulnerability is an out-of-bounds read [CWE-125] in Microsoft Office Excel. Excel parses complex binary and XML spreadsheet formats containing records, formulas, embedded objects, and shared strings. When Excel processes a malformed structure, the parser reads beyond the bounds of an allocated buffer.

The attack vector is local and requires user interaction. An attacker must convince a user to open a crafted .xls, .xlsx, or related Excel file. Once opened, Excel parses the file in the user's security context and triggers the out-of-bounds read.

The vulnerability disclosure metrics indicate high impact across confidentiality, integrity, and availability. Disclosed memory contents can include heap data, pointers, and other sensitive process state. Attackers commonly chain such reads with memory corruption flaws to defeat Address Space Layout Randomization (ASLR) and achieve code execution. The EPSS probability stands at 0.058%.

Root Cause

The root cause is missing or insufficient bounds checking when Excel reads a length-controlled field, index, or offset from a spreadsheet structure. The parser trusts attacker-controlled size or index values and reads memory beyond the allocated buffer. See the Microsoft Security Update for CVE-2026-40360 for additional vendor technical context.

Attack Vector

An attacker crafts a malicious Excel document with manipulated record headers, index values, or structure offsets. The attacker delivers the file via email attachment, web download, or shared drive. When the victim opens the document, Excel parses the malformed structures and reads memory outside the intended buffer, returning that memory to attacker-controlled formulas, objects, or scripts within the document.

No verified proof-of-concept is publicly available.
Refer to the Microsoft advisory for technical detail.

Detection Methods for CVE-2026-40360

Indicators of Compromise

• Unexpected Excel process crashes or Windows Error Reporting events referencing EXCEL.EXE access violations
• Inbound emails containing Excel attachments from untrusted senders, especially with macros, external links, or embedded objects
• Excel spawning unusual child processes such as cmd.exe, powershell.exe, or rundll32.exe
• Outbound network connections initiated by EXCEL.EXE to unfamiliar domains shortly after document open

Detection Strategies

• Monitor endpoint telemetry for EXCEL.EXE exceptions and abnormal memory access patterns
• Inspect inbound email attachments and web downloads for Office documents with malformed binary structures
• Apply behavioral identification rules that flag Excel reading memory regions atypical for normal document parsing
• Correlate document-open events with subsequent file writes, registry modifications, or network egress

Monitoring Recommendations

• Centralize Office telemetry, Microsoft Defender events, and Windows Event Logs into a SIEM for correlation
• Track Office process integrity levels, AMSI scan results, and Protected View bypass attempts
• Alert on Excel loading uncommon dynamic-link libraries or invoking script interpreters

How to Mitigate CVE-2026-40360

Immediate Actions Required

• Apply the security update referenced in the Microsoft Security Update Guide for CVE-2026-40360 across all systems running Excel
• Enforce Protected View for documents originating from the internet and email attachments
• Block or quarantine Excel files at the mail gateway when delivered from untrusted external senders
• Restrict macro execution to digitally signed macros from trusted publishers

Patch Information

Microsoft has released a security update addressing CVE-2026-40360. Administrators should deploy the patch through Windows Update, Microsoft Update for Business, WSUS, or Microsoft Intune. Verify patch installation on Microsoft 365 Apps, Office LTSC, and any standalone Office distributions containing Excel. Consult the Microsoft advisory for build numbers and channel-specific guidance.

Workarounds

• Open untrusted spreadsheets only in Excel Protected View or Office for the web sandbox
• Disable preview handlers for Excel files in Outlook and Windows Explorer until patches are deployed
• Apply Attack Surface Reduction rules that block Office applications from creating child processes and injecting code
• Use Group Policy to enforce File Block settings for legacy Excel formats from untrusted locations

# Example: enforce Protected View and block legacy Excel formats via Group Policy registry keys
reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Excel\Security\ProtectedView" /v DisableInternetFilesInPV /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Excel\Security\ProtectedView" /v DisableAttachmentsInPV /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Excel\Security\FileBlock" /v XLSFiles /t REG_DWORD /d 2 /f