CVE-2026-40363 – Microsoft Office Remote Code Execution Vulnerability

A critical remote code execution vulnerability exists in Microsoft Office due to a heap-based buffer overflow. An unauthorized attacker could exploit the flaw to execute code locally when specially crafted Office content is processed. The Preview Pane is confirmed as an attack vector, increasing exposure during normal document handling activities.
CVSS Score: 8.4
SEVERITY: Critical
THREAT:
This vulnerability could allow attackers to execute arbitrary code on affected systems through malicious Office files. Successful exploitation may lead to malware deployment, credential theft, data exposure, endpoint compromise, and broader enterprise intrusion.

EXPLOITS:
At the time of publication, Microsoft reports that the vulnerability was not publicly disclosed and was not exploited in the wild. Exploit Code Maturity is listed as Unproven, and exploitation is assessed as Less Likely.

TECHNICAL SUMMARY:
CVE-2026-40363 is caused by a heap-based buffer overflow in Microsoft Office. Improper memory handling may allow specially crafted Office content to corrupt memory and execute attacker-controlled code on the local system. Although the title references remote code execution, the CVSS attack vector is Local because exploitation occurs when malicious content is processed locally by the target machine.
The Preview Pane is confirmed as an attack vector, meaning exploitation may occur during preview operations without requiring a document to be fully opened in the traditional manner.

EXPLOITABILITY:
Affected software is Microsoft Office. Exploitation requires malicious Office content to be processed locally, including through the Preview Pane. No privileges or user interaction are required according to the CVSS metrics.

BUSINESS IMPACT:
Office-based vulnerabilities remain highly effective because Office documents are deeply integrated into business communication and collaboration. A successful exploit could compromise employee workstations, expose sensitive business information, and provide attackers with an initial foothold inside enterprise environments.

WORKAROUND:
No mitigations or workarounds are listed. Apply the official Microsoft security update for affected Office products.

URGENCY:
This vulnerability should be treated as a high-priority patching item because it is Critical and the Preview Pane is an attack vector. Even though exploitation is currently assessed as Less Likely, preview-based document attacks reduce normal user warning signs and increase the likelihood of accidental exposure.