CVE-2026-40367 – Microsoft Word Remote Code Execution Vulnerability

A critical remote code execution vulnerability exists in Microsoft Word due to an untrusted pointer dereference flaw. An unauthorized attacker could exploit the vulnerability to execute code locally, and the Preview Pane is confirmed as an attack vector, increasing the risk of exposure through routine document handling.
CVSS Score: 8.4
SEVERITY: Critical
THREAT:
This vulnerability could allow attackers to execute arbitrary code on affected systems through malicious Word content. Successful exploitation may lead to malware deployment, theft of sensitive information, workstation compromise, and further movement inside the enterprise environment.

EXPLOITS:
At the time of publication, Microsoft reports that the vulnerability was not publicly disclosed and was not exploited in the wild. Exploit Code Maturity is listed as Unproven, and exploitation is assessed as Unlikely.

TECHNICAL SUMMARY:
CVE-2026-40367 is caused by an untrusted pointer dereference in Microsoft Office Word. Improper handling of memory references may allow specially crafted Word content to trigger execution of attacker-controlled code on the local system. Although the title references remote code execution, the CVSS attack vector is Local because the malicious content must be processed locally by the target system.
The Preview Pane is confirmed as an attack vector, meaning exploitation may occur during document preview operations without requiring the document to be fully opened in the traditional manner.

EXPLOITABILITY:
Affected software is Microsoft Office Word. Exploitation requires malicious Word content to be processed locally. No privileges or user interaction are required according to the CVSS metrics, and the Preview Pane can trigger the vulnerability.

BUSINESS IMPACT:
Word documents remain one of the most common business file formats exchanged through email and collaboration platforms. A successful exploit could compromise employee systems, expose confidential data, enable credential theft, and create an entry point for broader enterprise attacks.

WORKAROUND:
No mitigations or workarounds are listed. Microsoft states that all applicable update packages for affected software should be installed.

URGENCY:
This vulnerability should be treated as a high-priority patching item because it is rated Critical and the Preview Pane is an attack vector. Preview-based exploitation paths reduce the amount of user interaction normally required and increase enterprise exposure to malicious document attacks.