Microsoft Patches Critical Office and Word Use-After-Free RCE Flaws
Microsoft disclosed and fixed two critical use-after-free vulnerabilities affecting Microsoft Office and Microsoft Word: CVE-2026-40358 and CVE-2026-40366. Both bugs are classified as CWE-416 and carry a CVSS 8.4 rating, with Microsoft assessing impacts to confidentiality, integrity, and availability as high. The company said neither flaw had been publicly disclosed or exploited in the wild at the time of publication, and it rated exploitation as less likely.
Microsoft said the vulnerabilities can lead to remote code execution, although the attack vector is described as local, with the Preview Pane able to serve as an attack path when malicious content is handled. The disclosures continue a broader pattern of Microsoft patching multiple remote code execution issues across its product line, including earlier Office flaws such as CVE-2024-30101, CVE-2025-24080, and CVE-2025-59234, as well as RCE bugs in Windows Connected Devices Platform Service, Remote Desktop Protocol, and Inbox COM Objects.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Microsoft discloses and patches CVE-2026-40366 in Microsoft Word
Microsoft disclosed CVE-2026-40366, a critical Microsoft Word use-after-free remote code execution vulnerability with a CVSS 8.4 score. Microsoft said the flaw was not publicly disclosed or exploited at publication, assessed exploitation as less likely, noted the Preview Pane as an attack vector, and made a fix available.
Microsoft discloses and patches CVE-2026-40358 in Microsoft Office
Microsoft disclosed CVE-2026-40358, a critical Microsoft Office use-after-free vulnerability that can lead to remote code execution, with a CVSS 8.4 score. Microsoft said exploitation was less likely, there was no public disclosure or in-the-wild exploitation at publication, the Preview Pane could be an attack vector, and a fix was available.
Microsoft discloses CVE-2025-59234 for Microsoft Office
Microsoft published a Security Update Guide entry for CVE-2025-59234, a Microsoft Office remote code execution vulnerability. The disclosure was included in Microsoft's October 2025 security updates.
Microsoft discloses CVE-2025-58737 in Remote Desktop Protocol
Microsoft published a Security Update Guide entry for CVE-2025-58737, a Remote Desktop Protocol remote code execution vulnerability. The advisory was released on October 14, 2025.
Microsoft discloses CVE-2025-58736 affecting Inbox COM Objects
Microsoft published a Security Update Guide entry for CVE-2025-58736, a remote code execution vulnerability in Inbox COM Objects (Global Memory). The disclosure was issued as part of the October 2025 security updates.
Microsoft discloses CVE-2025-49724 in Windows Connected Devices Platform Service
Microsoft published a Security Update Guide entry for CVE-2025-49724, a remote code execution vulnerability in the Windows Connected Devices Platform Service. The advisory was released on July 8, 2025.
Microsoft discloses CVE-2025-24080 for Microsoft Office
Microsoft published a Security Update Guide entry for CVE-2025-24080, a Microsoft Office remote code execution vulnerability. The disclosure occurred with Microsoft's March 2025 security updates.
Microsoft discloses CVE-2024-30101 for Microsoft Office
Microsoft published a Security Update Guide entry for CVE-2024-30101, a Microsoft Office remote code execution vulnerability. The advisory indicates the vulnerability was disclosed as part of Microsoft's June 2024 security updates.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
CVE-2026-40358 - Security Update Guide - Microsoft - Microsoft Office Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-40366 - Security Update Guide - Microsoft - Microsoft Word Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-58736 - Security Update Guide - Microsoft - Inbox COM Objects (Global Memory) Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-59234 - Security Update Guide - Microsoft - Microsoft Office Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-58737 - Security Update Guide - Microsoft - Remote Desktop Protocol Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-49724 - Security Update Guide - Microsoft - Windows Connected Devices Platform Service Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-24080 - Security Update Guide - Microsoft - Microsoft Office Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2024-30101 - Security Update Guide - Microsoft - Microsoft Office Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Patches Repeated Remote Code Execution Flaws Across Office Apps
Microsoft published a long series of security advisories for **remote code execution** vulnerabilities affecting core Office components, with the largest concentration in **Excel** and **Word**. The disclosures include Excel flaws such as `CVE-2024-49026`, `CVE-2024-49069`, `CVE-2025-21362`, `CVE-2025-21381`, `CVE-2025-21387`, `CVE-2025-24082`, `CVE-2025-62553`, `CVE-2026-26107`, `CVE-2026-26109`, `CVE-2026-26112`, and `CVE-2026-40359`, alongside Word issues including `CVE-2025-24077`, `CVE-2025-24078`, `CVE-2025-47170`, `CVE-2025-49700`, `CVE-2025-59222`, `CVE-2026-23657`, and `CVE-2026-33095`. Microsoft also listed related RCE bugs in **Microsoft Office** (`CVE-2025-21392`), **PowerPoint** (`CVE-2025-54908`), **Inbox COM Objects (Global Memory)** (`CVE-2025-58730`), and the **Visual Studio Code Python Extension** (`CVE-2025-49714`). One of the few entries with technical detail, **`CVE-2026-40359`**, describes an **Important** Excel use-after-free flaw (`CWE-416`) with a **CVSS 3.1 score of 7.8** that can let an attacker execute code if a user opens a malicious Office file. Microsoft said the bug was **not publicly disclosed**, **not exploited in the wild**, and **less likely** to be exploited at the time of publication, adding that the **Preview Pane is not an attack vector** and that a fix is available. Taken together, the advisories show Microsoft continuing to address document-driven code execution risks across Office products, where successful exploitation generally depends on **user interaction with crafted files** rather than direct network exposure.
May 25, 2026
Microsoft Patches Multiple Office, Word, and Outlook RCE Flaws
Microsoft disclosed and patched several remote code execution vulnerabilities affecting **Microsoft Office**, **Word**, and **Outlook**, including `CVE-2025-49698`, `CVE-2025-49702`, `CVE-2025-54906`, `CVE-2025-62554`, `CVE-2025-62557`, `CVE-2025-62558`, and `CVE-2025-62562`. The advisories identify repeated RCE issues across core productivity applications, with separate entries for Office-wide flaws as well as product-specific weaknesses in Word and Outlook. The cluster of disclosures indicates a sustained stream of code-execution bugs in Microsoft’s document and messaging ecosystem, raising the risk of compromise through malicious files or email content handled by widely deployed enterprise software. Organizations using Microsoft 365 and on-premises Office components should prioritize the relevant security updates and verify patch coverage for Office, Word, and Outlook installations across user endpoints.
May 25, 2026
Microsoft Patches Critical Office and Outlook Preview Pane RCE Flaws
Microsoft has released fixes for multiple **critical Microsoft Office, Word, and Outlook Classic vulnerabilities** that can lead to remote code execution when a victim opens or previews a specially crafted file or email. The affected flaws include Office bugs **CVE-2025-49695**, **CVE-2025-49696**, **CVE-2025-49697**, **CVE-2025-49699**, **CVE-2025-49702**, Word bug **CVE-2025-49698**, and newer Outlook/Word rendering issues **CVE-2026-45456**, **CVE-2026-45458**, and **CVE-2026-47635**. Microsoft described the bugs as stemming from memory-safety issues such as **use-after-free**, **heap-based buffer overflow**, **type confusion**, and **out-of-bounds read**, with several carrying **CVSS 8.4** ratings. In multiple cases, Microsoft said the **Preview Pane** can trigger exploitation, and some flaws may be exploited without additional user interaction once malicious content is rendered. Microsoft said the vulnerable code paths affect Office and Word components, including the **Word rendering engine** used by **Outlook Classic**, and that supported builds such as **Microsoft Office LTSC 2024** and Mac Office LTSC channels received updates, with some Mac patches arriving later. Most of the 2025 flaws were not publicly disclosed or exploited at publication, though Microsoft assessed some as **more likely** to be exploited; the 2026 Outlook and Word issues similarly prompted urgent patching guidance because remotely delivered email content can trigger local processing and code execution. Microsoft urged organizations to install all applicable updates and strengthen defenses around Office email handling, including **Protected View**, **Attack Surface Reduction** rules, and monitoring for suspicious Office child-process activity.
Jun 12, 2026