CVE-2026-40366 Overview
CVE-2026-40366 is a use-after-free vulnerability in Microsoft Office Word that enables local code execution. The flaw is tracked under [CWE-416] and carries a CVSS 3.1 score of 8.4. An attacker who convinces a user to open a crafted Word document can trigger memory corruption and run arbitrary code in the context of the current user. No authentication is required, and the attack vector is local. Microsoft published advisory details through the Microsoft Security Response Center.
Critical Impact
Successful exploitation grants arbitrary code execution with the privileges of the logged-on user, threatening confidentiality, integrity, and availability of the host.
Affected Products
- Microsoft Office Word (see vendor advisory for affected builds)
- Microsoft 365 Apps deployments that include Word
- Standalone Microsoft Office installations including Word
Discovery Timeline
- 2026-05-12 - CVE-2026-40366 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-40366
Vulnerability Analysis
The issue is a use-after-free condition in Microsoft Office Word. The application frees an object in memory but retains a stale reference. When that reference is later dereferenced, the attacker controls the contents of the reallocated memory region. This primitive can be shaped into arbitrary code execution within the Word process. The Exploit Prediction Scoring System currently rates active exploitation likelihood as low, but the impact profile remains severe because all three CIA properties are compromised on success.
Root Cause
The root cause is improper object lifetime management within Word's document parsing or rendering paths, classified as [CWE-416] Use After Free. Crafted document structures cause the application to release a heap object while another code path still holds a pointer to it. Subsequent operations on the dangling pointer corrupt program state.
Attack Vector
Exploitation requires the victim to open a malicious .docx, .doc, or related Word-supported file. Delivery commonly occurs through email attachments, phishing links, or compromised file shares. Once opened, the document triggers the freed-object reuse and executes attacker-controlled code with the user's privileges. Code execution may then be chained with privilege escalation flaws for full system compromise.
No verified public proof-of-concept code is available at this time. Refer to the Microsoft CVE-2026-40366 Advisory for vendor-supplied technical context.
Detection Methods for CVE-2026-40366
Indicators of Compromise
- Unexpected child processes spawned by winword.exe, such as cmd.exe, powershell.exe, rundll32.exe, or mshta.exe.
- Word writing executable content to %TEMP%, %APPDATA%, or Startup folders shortly after a document is opened.
- Outbound network connections initiated by winword.exe to previously unseen domains or IP addresses.
Detection Strategies
- Hunt for process-tree anomalies where winword.exe is the parent of a scripting or LOLBin process.
- Inspect Office documents arriving via email for embedded objects, anomalous OOXML structures, or heap-grooming payloads.
- Correlate document-open events with subsequent memory protection changes or suspicious module loads inside Word.
Monitoring Recommendations
- Enable Microsoft Defender Attack Surface Reduction rules that block Office child processes and executable content creation.
- Forward Sysmon process, image-load, and network events to a central analytics platform for behavioral baselining.
- Alert on Office processes loading non-standard DLLs or invoking Win32 APIs associated with shellcode execution.
How to Mitigate CVE-2026-40366
Immediate Actions Required
- Apply the Microsoft security update referenced in the Microsoft CVE-2026-40366 Advisory to all Word installations.
- Prioritize patching for users handling external documents, including finance, HR, executive assistants, and legal teams.
- Validate that automatic update channels for Microsoft 365 Apps are functioning and current.
Patch Information
Microsoft has published guidance for CVE-2026-40366 through MSRC. Administrators should consult the advisory for the exact build numbers, channel-specific updates, and KB identifiers applicable to their deployed version of Word. Update Microsoft 365 Apps via the Office Click-to-Run channel and use WSUS, Intune, or Configuration Manager for standalone Office installations.
Workarounds
- Enforce Protected View and Application Guard for documents originating from the internet or email.
- Disable rich content in Outlook previews and require user interaction before rendering attachments.
- Restrict opening of Office files from untrusted sources using Group Policy and file-type blocking at the email gateway.
# Example: Enforce Protected View via Group Policy registry keys (per-user)
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView" /v DisableAttachementsInPV /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView" /v DisableInternetFilesInPV /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView" /v DisableUnsafeLocationsInPV /t REG_DWORD /d 0 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
