High

Microsoft Word Untrusted Pointer Dereference Local Code Execution Vulnerability

IdentifiersCVE-2026-40367CWE-822· Untrusted Pointer Dereference

CVE-2026-40367 is a critical Microsoft Word remote code execution vulnerability caused by an untrusted pointer dereference. The provided content states that the flaw affects Microsoft Word and may allow an unauthorized attacker to execute code locally. Multiple supporting references indicate the issue is exploitable through a crafted Word or Office document, and that this set of Word/Office RCE vulnerabilities can be triggered via the Preview Pane. No more specific vulnerable function or code path is provided in the supplied material.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in arbitrary code execution in the security context of the targeted user on the local system. Based on the supplied context, exploitation may occur when a victim opens or previews a specially crafted Word document, enabling compromise of the endpoint and follow-on actions consistent with code execution, such as malware deployment, data access, or lateral movement subject to the victim's privileges.

Mitigation

If you can’t patch tonight, do this now.

Until patches are fully deployed, reduce exposure by warning users not to open unsolicited or suspicious Office/Word documents, including files received from apparently known contacts. Because the supplied content indicates these Office/Word RCE issues may be exploitable via the Preview Pane, organizations should treat document preview as a potential trigger path and apply compensating controls around email and document handling, alongside enhanced monitoring on endpoints, email systems, and file servers. Detection content such as the referenced Cisco Talos Snort rules may also help identify exploitation attempts.

Remediation

Patch, then assume compromise.

Apply the Microsoft security updates released for May 2026 that address CVE-2026-40367 in Microsoft Word/Office. The supplied content does not provide a KB number or product-version-specific patch guidance for this CVE, so the authoritative remediation is to deploy the relevant Microsoft Patch Tuesday updates for all affected Word/Office installations as identified by Microsoft.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft Corporation365 Appsapplication

Microsoft CorporationOfficeapplication

Microsoft CorporationOffice 2019application

Microsoft CorporationOffice 2021application

Microsoft CorporationOffice 2024application

Microsoft CorporationOffice Long Term Servicing Channelapplication

Microsoft CorporationOffice Macos 2021application

Microsoft CorporationOffice Macos 2024application

Microsoft CorporationSharepoint Serverapplication

Microsoft CorporationSharepoint Server 2016application

Microsoft CorporationSharepoint Server 2019application

Microsoft CorporationWordapplication

Microsoft CorporationWord 2016application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

arctic wolf blogNews

May 16, 2026

Microsoft Patch Tuesday: May 2026 - Arctic Wolf

A Microsoft Office/Word vulnerability exploitable through crafted documents.

arctic wolf blogNews

May 16, 2026

Microsoft Patch Tuesday: May 2026 - Arctic Wolf

An Office/Word vulnerability exploitable via crafted documents.

sophos threat researchNews

May 13, 2026

May’s Patch Tuesday hauls out 132 CVEs | SOPHOS

A Microsoft Word remote code execution vulnerability that can be exploited via the Preview Pane.

sophos blogNews

May 13, 2026

May’s Patch Tuesday hauls out 132 CVEs | SOPHOS

A Microsoft Word remote code execution vulnerability that can be exploited via the Preview Pane.

+1 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-40367

NVD

nvd.nist.gov/vuln/detail/CVE-2026-40367

MITRE CWE · CWE-822

Untrusted Pointer Dereference

Vendor Advisory

msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40367