CVE-2026-40358 – Microsoft Office Remote Code Execution Vulnerability

A critical remote code execution vulnerability exists in Microsoft Office due to a use-after-free flaw. An unauthorized attacker could exploit the vulnerability to execute code locally when malicious Office content is processed. The Preview Pane is confirmed as an attack vector, increasing exposure during normal document handling activities.
CVSS Score: 8.4
SEVERITY: Critical
THREAT:
This vulnerability could allow attackers to execute arbitrary code on affected systems through specially crafted Office files. Successful exploitation may result in malware installation, credential theft, exposure of sensitive business information, and compromise of employee workstations.

EXPLOITS:
At the time of publication, Microsoft reports that the vulnerability was not publicly disclosed and was not exploited. Exploit Code Maturity is listed as Unproven, and exploitation is assessed as Less Likely.

TECHNICAL SUMMARY:
CVE-2026-40358 is caused by a use-after-free condition in Microsoft Office. The vulnerability occurs when Office improperly handles memory after it has been freed, potentially allowing specially crafted content to trigger execution of attacker-controlled code on the local system. Although the title refers to remote code execution, the CVSS attack vector is Local because the malicious content must be processed on the target machine.
The Preview Pane is confirmed as an attack vector, meaning exploitation may occur during preview operations without requiring the user to fully open the document.

EXPLOITABILITY:
Affected software is Microsoft Office. Exploitation requires malicious Office content to be processed locally, including through the Preview Pane. No privileges or user interaction are required according to the CVSS metrics.

BUSINESS IMPACT:
Office applications are deeply integrated into everyday business communication and collaboration. A successful exploit could compromise endpoints, expose confidential information, support phishing campaigns, and provide attackers with an initial foothold inside enterprise networks.

WORKAROUND:
No mitigations or workarounds are listed. Apply the official Microsoft security update for affected Office products.

URGENCY:
This vulnerability should be prioritized because it is Critical and the Preview Pane is an attack vector. Even though exploitation is currently assessed as Less Likely, document preview attack paths increase exposure and reduce the amount of user interaction normally required.