CVE-2026-40366 – Microsoft Word Remote Code Execution Vulnerability

A critical remote code execution vulnerability exists in Microsoft Word due to a use-after-free flaw. An unauthorized attacker could exploit the issue to execute code locally when malicious Word content is processed. The Preview Pane is confirmed as an attack vector, increasing risk during routine file handling.
CVSS Score: 8.4
SEVERITY: Critical
THREAT:
This vulnerability could allow attackers to execute arbitrary code on affected systems through malicious Word documents. Successful exploitation may lead to malware installation, data theft, workstation compromise, and further movement inside the organization.

EXPLOITS:
At the time of publication, Microsoft reports that the vulnerability was not publicly disclosed and was not exploited. Exploit Code Maturity is listed as Unproven, and exploitation is assessed as Less Likely.

TECHNICAL SUMMARY:
CVE-2026-40366 is caused by a use-after-free condition in Microsoft Office Word. The vulnerability occurs when Word improperly handles memory after it has been freed, which may allow specially crafted content to trigger execution of attacker-controlled code. Although the title uses “Remote Code Execution,” the CVSS attack vector is Local because the malicious content must be processed on the target system. The Preview Pane is an attack vector, meaning document preview behavior may expose users to exploitation.

EXPLOITABILITY:
Affected software is Microsoft Office Word. Exploitation requires malicious Word content to be processed locally. No privileges or user interaction are required according to the CVSS metrics, and the Preview Pane can be used as an attack vector.

BUSINESS IMPACT:
A successful exploit could compromise employee endpoints, expose sensitive documents, support credential theft, and give attackers a foothold for broader enterprise intrusion. Word files are commonly shared by email and collaboration tools, making this vulnerability especially relevant to phishing and document-based attacks.

WORKAROUND:
No mitigations or workarounds are listed. Apply the official Microsoft security update.

URGENCY:
This vulnerability should be prioritized because it is rated Critical and includes Preview Pane exposure. Even though exploitation is assessed as Less Likely, document preview attack paths reduce user decision points and increase risk from malicious files.