High

Microsoft Word Preview Pane Type Confusion RCE

IdentifiersCVE-2026-40364CWE-843· Access of Resource Using…

CVE-2026-40364 is a Microsoft Office Word remote code execution vulnerability caused by access of a resource using an incompatible type (type confusion). The flaw affects Microsoft Word and is described in the provided content as a critical Word RCE with a CVSS score of 8.4. Multiple sources in the content state that exploitation can be triggered by a specially crafted malicious Word document and that the Preview Pane is a viable attack vector, meaning the target may not need to explicitly open the document for the vulnerable code path to be reached. The content also notes related weakness classes in Microsoft advisory material, including heap-based buffer overflow, but the primary weakness explicitly identified for this CVE is type confusion.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthorized attacker to execute code locally on the affected system in the security context of the user or process handling the malicious document. Because this is a Word RCE reachable through Preview Pane processing, impact can include full compromise of the affected workstation, theft or modification of local data accessible to the compromised context, installation of malware, and use of the host as a foothold for further intrusion. The advisory content characterizes the impact as high for confidentiality, integrity, and availability.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure to untrusted Word documents, especially those received via email or downloaded from untrusted sources. Because the Preview Pane is identified as an attack vector, avoid previewing untrusted documents in applications that render Word files through preview functionality, and limit handling of such files until patches are deployed. No specific vendor workaround beyond patching is provided in the supplied content.

Remediation

Patch, then assume compromise.

Apply Microsoft's official security update for the affected Microsoft Office Word versions as provided through the Microsoft Security Update Guide. Prioritize patching because Microsoft assessed this CVE as more likely to be exploited within 30 days of release and because the Preview Pane attack vector reduces user-action requirements.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft Corporation365 Appsapplication

Microsoft CorporationOfficeapplication

Microsoft CorporationOffice 2019application

Microsoft CorporationOffice 2021application

Microsoft CorporationOffice 2024application

Microsoft CorporationOffice Long Term Servicing Channelapplication

Microsoft CorporationOffice Macos 2021application

Microsoft CorporationOffice Macos 2024application

Microsoft CorporationOffice Wordapplication

Microsoft CorporationWordapplication

Microsoft CorporationWord 2016application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

security affairsNews

May 13, 2026

Microsoft Patch Tuesday for May 2026 fix 138 bugs, some of them are alarming

A Microsoft Word remote code execution vulnerability caused by type confusion that can be triggered through the Preview Pane without opening the malicious document.

outpost24 blogNews

May 13, 2026

Microsoft Patch Tuesday - May 2026

A type confusion vulnerability in Microsoft Word that can trigger remote code execution when a crafted document is opened or previewed.

cyberthroneNews

May 13, 2026

Microsoft Patch Tuesday - May 2026 - TheCyberThrone

A critical Microsoft Word remote code execution vulnerability that can be triggered through the Preview Pane without opening the document, making user interaction requirements minimal.

sophos threat researchNews

May 13, 2026

May’s Patch Tuesday hauls out 132 CVEs | SOPHOS

A Microsoft Word remote code execution vulnerability exploitable via the Preview Pane and assessed by Microsoft as more likely to be exploited within 30 days.

+4 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-40364

NVD

nvd.nist.gov/vuln/detail/CVE-2026-40364

MITRE CWE · CWE-843

Access of Resource Using Incompatible Type…

Vendor Advisory

msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40364