CVE-2026-40421 Overview
CVE-2026-40421 is an information disclosure vulnerability in Microsoft Office Word caused by external control of file name or path [CWE-73]. An unauthorized attacker can craft a malicious Word document that, when opened by a victim, causes Word to reference an attacker-controlled file path. This results in disclosure of information over a network. The flaw affects Microsoft 365 Apps, Microsoft Office 2019, 2021 LTSC, 2024 LTSC, and Word 2016 across both x64 and x86 architectures. Exploitation requires user interaction, typically opening a crafted document delivered through phishing or web-based delivery channels.
Critical Impact
Successful exploitation enables an unauthorized network attacker to disclose limited confidential information from the targeted system through a crafted Office Word document.
Affected Products
- Microsoft 365 Apps (Enterprise, x64 and x86)
- Microsoft Office 2019, 2021 LTSC, and 2024 LTSC (x64 and x86)
- Microsoft Word 2016 (x64 and x86)
Discovery Timeline
- 2026-05-12 - CVE-2026-40421 published to NVD
- 2026-05-16 - Last updated in NVD database
Technical Details for CVE-2026-40421
Vulnerability Analysis
The vulnerability stems from external control of file name or path [CWE-73] within Microsoft Office Word. Word processes document elements that can reference external resources by file path or Uniform Resource Identifier (URI). When an attacker controls these path values inside a crafted document, Word resolves them and initiates a network request. That request can leak information such as authentication material or system metadata to a server controlled by the attacker.
The attack vector is network-based but requires user interaction. A victim must open the malicious document for the exploitation chain to begin. The vulnerability impacts confidentiality only, with no impact to integrity or availability of the host system. EPSS data indicates a low near-term exploitation probability based on current threat telemetry.
Root Cause
Word accepts externally supplied path or URI values inside document constructs without sufficient validation of their destination. The application then dereferences these paths during rendering or processing. This allows an attacker-controlled document to direct Word to query attacker-owned network locations, leaking information passively returned during the protocol exchange.
Attack Vector
An attacker crafts a Word document containing externally controlled file path references pointing to an attacker-controlled host. The attacker delivers the document through phishing email, file-sharing services, or compromised websites. When the victim opens the file, Word attempts to resolve the embedded path. The resulting network connection discloses information to the attacker's listener. No privileges are required on the target system. The vulnerability mechanism is described in detail by the Microsoft CVE-2026-40421 Advisory.
Detection Methods for CVE-2026-40421
Indicators of Compromise
- Outbound Server Message Block (SMB), WebDAV, or HTTP requests originating from winword.exe to untrusted external hosts shortly after a document is opened.
- Word documents containing external references, remote templates, or INCLUDEPICTURE/frame fields pointing to attacker-controlled domains or Universal Naming Convention (UNC) paths.
- Anomalous Net-NTLM authentication attempts to internet-facing hosts following email attachment activity.
Detection Strategies
- Inspect inbound .docx, .doc, .rtf, and .dotx attachments for embedded external path references using static document analysis.
- Correlate process telemetry from Office applications with outbound network connections to non-corporate destinations.
- Hunt for child processes and network sockets created by winword.exe immediately after document open events.
Monitoring Recommendations
- Monitor egress traffic on TCP/445, TCP/139, and WebDAV ports for connections initiated by Office processes.
- Alert on Office processes resolving Domain Name System (DNS) queries for newly registered or low-reputation domains.
- Forward Office telemetry and endpoint network events to a centralized data lake for retrospective hunting against indicators tied to this CVE.
How to Mitigate CVE-2026-40421
Immediate Actions Required
- Apply the Microsoft security update referenced in the Microsoft CVE-2026-40421 Advisory to all affected Office installations.
- Enable Protected View and Office Application Guard for documents originating from the internet or email.
- Block outbound SMB and WebDAV traffic from user workstations to the public internet at the perimeter firewall.
Patch Information
Microsoft has released security updates for Microsoft 365 Apps, Office 2019, Office 2021 LTSC, Office 2024 LTSC, and Word 2016. Administrators should deploy the corresponding update through Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Intune. Refer to the Microsoft CVE-2026-40421 Advisory for build numbers and channel-specific guidance.
Workarounds
- Configure Group Policy to disable automatic loading of external content and remote templates in Word.
- Restrict NT LAN Manager (NTLM) authentication to external destinations using the Network security: Restrict NTLM policies.
- Train users to avoid opening unsolicited Office attachments and to report suspicious documents to the security team.
# Configuration example: Group Policy registry keys to harden Word against external content
reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Word\Security" /v BlockContentExecutionFromInternet /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Word\Security\ProtectedView" /v DisableInternetFilesInPV /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Word\Options" /v DontUpdateLinks /t REG_DWORD /d 1 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
