CVE-2026-40364 – Microsoft Word Remote Code Execution Vulnerability

A critical remote code execution vulnerability exists in Microsoft Word due to type confusion, use of uninitialized resource, and heap-based buffer overflow weaknesses. An unauthorized attacker could exploit the vulnerability to execute code locally when malicious Word content is processed. The Preview Pane is confirmed as an attack vector.
CVSS Score: 8.4
SEVERITY: Critical
THREAT:
This vulnerability could allow attackers to execute arbitrary code on affected systems through malicious Word content. Successful exploitation may lead to endpoint compromise, malware execution, data theft, and further movement across the organization.

EXPLOITS:
At the time of publication, Microsoft reports that the vulnerability was not publicly disclosed and was not exploited. Exploit Code Maturity is listed as Unproven, but exploitation is assessed as More Likely.

TECHNICAL SUMMARY:
CVE-2026-40364 involves improper access of a resource using an incompatible type, also known as type confusion, in Microsoft Office Word. The vulnerability also includes use of uninitialized resource and heap-based buffer overflow weaknesses. These memory handling issues may allow specially crafted Word content to corrupt memory and execute attacker-controlled code locally. Although the title uses “Remote Code Execution,” the CVSS attack vector is Local because the malicious content must be processed on the target machine. The Preview Pane is an attack vector.

EXPLOITABILITY:
Affected software is Microsoft Office Word. Exploitation requires malicious Word content to be processed locally, including through the Preview Pane. No privileges or user interaction are required according to the CVSS metrics.

BUSINESS IMPACT:
A successful exploit could compromise user workstations, expose sensitive documents, enable credential theft, and provide attackers with a foothold inside the enterprise. Because Word documents are frequently shared through email, collaboration tools, and websites, this vulnerability is well suited for phishing and document-based attacks.

WORKAROUND:
No mitigations or workarounds are listed. Apply the official Microsoft security update.

URGENCY:
This vulnerability should be prioritized because it is Critical, Preview Pane is an attack vector, and exploitation is assessed as More Likely. Document-based vulnerabilities can spread quickly through normal business workflows and may require very little user involvement.