Cyber Resilience

CVE-2026-40362

HighUpdated

Published: 12 May 2026

Published
12 May 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0006 19.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40362 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Microsoft Office Long Term Servicing Channel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 19.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Heap buffer overflow in client application (Excel) directly enables arbitrary code execution via malicious file opened by user (T1203 Exploitation for Client Execution, T1204.002 Malicious File).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21390Same product: Microsoft 365 Apps
CVE-2026-26108Same product: Microsoft 365 Apps
CVE-2026-20957Same product: Microsoft 365 Apps
CVE-2025-24057Same product: Microsoft 365 Apps
CVE-2026-21259Same product: Microsoft 365 Apps
CVE-2025-21395Same product: Microsoft 365 Apps
CVE-2025-21381Same product: Microsoft 365 Apps
CVE-2025-24082Same product: Microsoft 365 Apps
CVE-2026-20950Same product: Microsoft 365 Apps
CVE-2025-21186Same product: Microsoft 365 Apps

Affected Assets

microsoft
365 apps
all versions
microsoft
excel
2016
microsoft
office
2019
microsoft
office long term servicing channel
2021, 2024
microsoft
office online server
≤ 16.0.10417.20128

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References