CVE-2026-40420: Microsoft Office Privilege Escalation Flaw

CVE-2026-40420 Overview

CVE-2026-40420 is an improper access control vulnerability [CWE-284] in Microsoft Office Click-To-Run (C2R). The flaw allows an authorized local attacker to elevate privileges on an affected host. Microsoft published the advisory on May 12, 2026.

The vulnerability requires local access and low privileges, but no user interaction. A successful exploit changes the security scope, granting the attacker high impact across confidentiality, integrity, and availability. Microsoft tracks the issue under its May 2026 update guide.

Critical Impact

A low-privileged local user can escalate to higher privileges on a system running Microsoft Office Click-To-Run, gaining the ability to modify protected resources and execute code in a privileged context.

Affected Products

• Microsoft Office Click-To-Run (C2R) servicing component
• Microsoft 365 Apps for Enterprise installations using Click-To-Run
• Microsoft Office consumer editions delivered via Click-To-Run

Discovery Timeline

• 2026-05-12 - CVE-2026-40420 published to NVD
• 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-40420

Vulnerability Analysis

Microsoft Office Click-To-Run is the streaming and servicing technology that installs and updates Microsoft 365 Apps. It runs a privileged service (ClickToRunSvc) that manages updates, repairs, and component registration. The service operates with SYSTEM-level privileges to modify protected installation directories and registry keys.

CVE-2026-40420 exists in this privileged servicing path. The Click-To-Run service does not adequately validate the security context of requests or the integrity of resources it operates on. An authenticated local user can interact with the service through a controlled object or path and induce it to perform privileged operations on attacker-controlled inputs.

The CVSS vector indicates a scope change, which is consistent with a low-privileged process influencing a SYSTEM-level component to act on its behalf. The outcome is privilege escalation with full impact on the host.

Root Cause

The root cause is improper access control [CWE-284] within the Click-To-Run servicing component. Authorization checks on caller identity, file paths, or named objects are insufficient to prevent a standard user from directing privileged behavior. The service trusts inputs or resource handles that a local attacker can influence.

Attack Vector

The attacker must already have valid credentials and code execution as a standard user on the target system. From that position, the attacker invokes Click-To-Run functionality through its interprocess communication surface or manipulates files and objects the service accesses during normal operation. The service then performs a sensitive action under SYSTEM, yielding privilege escalation.

The vulnerability is not remotely exploitable and does not require user interaction beyond the attacker's own session. Microsoft's advisory provides the authoritative description and patch guidance. See the Microsoft CVE-2026-40420 Advisory for vendor details.

// No verified public proof-of-concept code is available.
// Refer to the Microsoft Security Response Center advisory for technical details.

Detection Methods for CVE-2026-40420

Indicators of Compromise

• Unexpected child processes spawned by OfficeClickToRun.exe or ClickToRunSvc running as SYSTEM
• Modifications to files under %ProgramFiles%\Common Files\Microsoft Shared\ClickToRun\ initiated by non-administrative user contexts
• New or altered scheduled tasks, services, or auto-run registry entries created shortly after Click-To-Run service activity by a standard user

Detection Strategies

• Monitor for standard users triggering Click-To-Run repair, update, or component registration operations outside of normal maintenance windows
• Alert on token impersonation or process creation chains where ClickToRunSvc launches binaries from user-writable directories
• Correlate local logon events with subsequent privileged file or registry writes performed through the Click-To-Run service

Monitoring Recommendations

• Enable Windows process creation auditing (Event ID 4688) with command line logging and forward to a centralized analytics platform
• Track file integrity on Click-To-Run installation paths and the HKLM\SOFTWARE\Microsoft\Office\ClickToRun registry hive
• Review Microsoft Office telemetry and Windows Service Control Manager events for unusual restarts or configuration changes to ClickToRunSvc

How to Mitigate CVE-2026-40420

Immediate Actions Required

• Apply the Microsoft security update referenced in the Microsoft CVE-2026-40420 Advisory to all systems running Microsoft Office Click-To-Run
• Verify the Office build number after update using File > Account > About and confirm it matches the patched channel version published by Microsoft
• Restrict local logon rights on shared and high-value workstations to limit the population of users who could exploit a local privilege escalation

Patch Information

Microsoft has released a security update through the standard Office Click-To-Run servicing channel. Click-To-Run installations update automatically when connected to the internet, but enterprises using deferred channels or managed update rings must validate that the patched build is deployed. Refer to the Microsoft advisory for the exact build numbers per channel.

Workarounds

• No vendor-supplied workaround is documented; installing the security update is the supported remediation
• Reduce local attack surface by enforcing least privilege, removing unnecessary local administrator rights, and applying application control policies that block unauthorized binaries
• Monitor for the indicators and detection patterns described above until patching is confirmed across the fleet

# Verify Office Click-To-Run version on a Windows host
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /update user
reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /v VersionToReport