CVE-2026-40418 Overview
CVE-2026-40418 is a use-after-free vulnerability [CWE-416] in Microsoft Office Click-To-Run that enables local privilege escalation. An authorized local attacker can exploit the flaw to elevate privileges on an affected system. The issue affects the Click-To-Run servicing component that Microsoft Office uses to install and update Office products on Windows endpoints.
Successful exploitation results in high impact to confidentiality, integrity, and availability. Microsoft published the advisory in its Security Update Guide. No public proof-of-concept code or in-the-wild exploitation has been reported at the time of writing.
Critical Impact
An authenticated local attacker can elevate privileges on a vulnerable Windows host running Microsoft Office Click-To-Run, gaining elevated execution context with full impact to confidentiality, integrity, and availability.
Affected Products
- Microsoft Office Click-To-Run (Windows installer and servicing component for Microsoft Office)
- Microsoft 365 Apps deployments using the Click-To-Run delivery mechanism
- Standalone Microsoft Office editions installed via Click-To-Run
Discovery Timeline
- 2026-05-12 - CVE-2026-40418 published to the National Vulnerability Database
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-40418
Vulnerability Analysis
The vulnerability is a use-after-free condition [CWE-416] within the Microsoft Office Click-To-Run servicing component. Click-To-Run runs with elevated privileges to manage Office installation, configuration, and update operations on Windows. When the component releases a memory object but later dereferences a pointer that still references the freed allocation, an attacker can manipulate the reused memory region to influence execution flow.
Exploitation requires the attacker to be locally authenticated on the target system. No user interaction is required, and attack complexity is low. The result is execution within the privileged context of the Click-To-Run service.
Microsoft has not published exploitation details beyond the advisory entry in the Microsoft Security Update Guide.
Root Cause
The root cause is improper lifetime management of a heap-allocated object inside Click-To-Run. After the object is freed, a stale pointer remains in use. Subsequent operations dereference this dangling pointer, allowing an attacker who can race or shape the heap to substitute controlled data into the freed region.
Attack Vector
The attack vector is local. An attacker with low-privileged authenticated access to the Windows host triggers the vulnerable code path in the Click-To-Run service. By controlling the contents that occupy the freed memory before the use-after-free dereference, the attacker pivots execution into the elevated service context to gain SYSTEM-level privileges.
No verified public exploitation code is available. Refer to the Microsoft advisory for vendor-supplied technical context.
Detection Methods for CVE-2026-40418
Indicators of Compromise
- Unexpected child processes spawned by OfficeClickToRun.exe or related Click-To-Run service binaries, particularly command interpreters such as cmd.exe or powershell.exe.
- Crashes or Windows Error Reporting entries referencing the Click-To-Run service that coincide with suspicious local user activity.
- New scheduled tasks, services, or persistence artifacts created shortly after Click-To-Run process anomalies.
Detection Strategies
- Monitor process lineage for any non-standard descendants of OfficeClickToRun.exe and the ClickToRunSvc service.
- Detect token elevation events where a low-privileged user transitions to SYSTEM following Office-related process activity.
- Hunt for write operations to Click-To-Run program directories from unprivileged user contexts.
Monitoring Recommendations
- Enable Sysmon process creation (Event ID 1) and image load (Event ID 7) logging for Office Click-To-Run binaries.
- Forward endpoint telemetry to a centralized analytics platform and correlate local logon events with Click-To-Run service anomalies.
- Alert on access violations or service restarts involving ClickToRunSvc that occur outside scheduled Office update windows.
How to Mitigate CVE-2026-40418
Immediate Actions Required
- Apply the Microsoft security update referenced in the Microsoft Security Update Guide for CVE-2026-40418 to all systems running Microsoft Office Click-To-Run.
- Inventory Windows endpoints with Office installations to identify any deployments pinned to deferred update channels that have not yet received the fix.
- Restrict interactive and remote local logon rights on systems that host sensitive workloads alongside Microsoft Office.
Patch Information
Microsoft has published patch guidance for CVE-2026-40418 through the Security Update Guide. Office Click-To-Run installations typically receive updates automatically through the Click-To-Run servicing channel. Administrators managing Microsoft 365 Apps should confirm that update channels are not paused and that endpoints are reporting current build numbers after deployment.
Workarounds
- No vendor-supplied workaround replaces the patch. Apply the update as the primary remediation.
- Limit the number of users with local logon rights on multi-user systems to reduce the population of accounts capable of triggering the vulnerability.
- Enforce application allowlisting to prevent unauthorized binaries from running in user contexts that could stage a use-after-free exploit against Click-To-Run.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
