← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-40361 · CWE-416 · Disclosed 2026-05-12

Use after free in Microsoft Office Word

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a landmine hidden in the mailroom floor, not a lockpick left inside the office

At face value, CVE-2026-40361 is a CWE-416 use-after-free in Microsoft Word that can lead to code execution in the context of the logged-in user. NVD ties it to Microsoft 365 Apps for enterprise, Word 2016, Office 2019, and Office LTSC 2021/2024 families, across x86/x64 and some Mac Office LTSC entries in the CPE list. Microsoft shipped fixes on 2026-05-12 as part of the May 2026 Office security updates, including KB5002858 for Word 2016 MSI.

The vendor 8.4 HIGH is too low for enterprise prioritization if the reported Outlook Preview Pane trigger is accurate. Multiple secondary sources citing Microsoft's advisory say the document can be weaponized through Preview Pane rendering and was marked Exploitation More Likely; that turns a nominally AV:L bug into an email-delivered client RCE with no open-attachment click, which is much closer to a zero-click endpoint compromise path than the raw CVSS suggests.

"Treat this like an email-borne zero-click client RCE, not a boring local Office bug."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Deliver a crafted Word payload by email

The attacker packages the trigger into a malicious Word document or Word-rendered mail content and sends it to a target mailbox. In the reported enterprise-relevant path, classic Outlook on Windows becomes the delivery vehicle because the document can be rendered from the inbox workflow rather than from a browser download.
Conditions required:
  • Attacker can send mail to the target organization
  • Target uses Windows Office/Outlook components that render Word content
  • The vulnerable Office build is still installed
Where this breaks in practice:
  • Mail gateways can still strip obviously suspicious attachments
  • Some organizations block external Office attachments or detonate them in sandbox
  • New Outlook/Web Outlook populations may not map cleanly to the classic Outlook preview path
Detection/coverage: Network scanners are weak here; this is primarily an email/endpoint inventory problem. Mail security and sandboxing may see the lure, but authenticated software inventory is what confirms exposure.
STEP 02

Trigger Word parsing through Preview Pane

Reportedly, the weaponized document does not need to be fully opened in Word; Preview Pane rendering is enough to invoke the vulnerable code path. That means the attacker abuses normal content inspection by Outlook/Word rather than relying on macro prompts or users enabling active content.
Conditions required:
  • Preview Pane or equivalent rendering path is active
  • Classic Outlook/Word rendering stack is present
  • The malformed content reaches the parser intact
Where this breaks in practice:
  • If the organization disables Preview Pane or attachment preview handlers, the easiest trigger path breaks
  • Protected View, attachment blocking, and content disarm can reduce reliable reach
  • Exact exploitability may vary by document format and Office channel/build
Detection/coverage: Telemetry is better on the endpoint than on the wire: Office child-process creation, abnormal WINWORD.EXE behavior, crash artifacts, and email-to-process correlations are the useful signals.
STEP 03

Exploit the use-after-free for code execution

Once the malformed object hits the vulnerable parser state, the attacker reuses freed memory to redirect execution and run payload code as the logged-in user. Modern weaponization would typically use a loader or stager such as Cobalt Strike, Sliver, or a custom DLL/EXE dropper after initial control is gained.
Conditions required:
  • Exploit reliability against the target Office build
  • Memory corruption mitigations are bypassed or the exploit is tuned for the target
  • EDR does not stop the payload stage
Where this breaks in practice:
  • Memory-corruption bugs are less reliable across builds than logic flaws
  • ASLR/CFG/EDR increase exploit development cost and failure rate
  • User-context code execution is not the same as SYSTEM or domain-admin compromise
Detection/coverage: EDR should catch many post-exploitation behaviors even if it misses the parser crash itself. Office spawning script hosts, LOLBins, or unsigned child processes is high-signal.
STEP 04

Monetize user-context access

The real damage is whatever the compromised user can touch: mailbox data, cached tokens, SharePoint/OneDrive content, Teams artifacts, and line-of-business apps. In enterprises with broadly entitled users, this is often enough for credential theft, internal phishing, and lateral movement without ever needing kernel or admin rights on day one.
Conditions required:
  • The victim has useful access or tokens
  • Post-exploitation tooling runs successfully
  • Lateral movement controls are weak
Where this breaks in practice:
  • Least privilege and conditional access can cap blast radius
  • Application control can block second-stage tooling
  • Rapid user isolation by SOC limits follow-on impact
Detection/coverage: Mailbox access anomalies, token theft indicators, suspicious OAuth/session reuse, and unusual file-sync or SharePoint activity are the downstream signals.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo confirmed active exploitation located in the sources reviewed; CISA KEV does not list this CVE.
Proof-of-concept availabilityNo public PoC found in the reviewed sources. That said, SecurityWeek reports Microsoft rated it Exploitation More Likely, so expect private exploit development pressure.
EPSS0.00101 (very low). Good reminder that EPSS is threat-likelihood telemetry, not impact; for niche client bugs it can lag real enterprise concern.
KEV statusNot KEV-listed as of the sources reviewed; no CISA due date exists.
CVSS vectorCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — Microsoft scores it as local, low complexity, no privileges, no UI, and full CIA impact. The enterprise dispute is the AV:L assumption if Preview Pane delivery is real.
Affected versionsNVD CPEs show Microsoft 365 Apps for enterprise, Word 2016, Office 2019, and Office LTSC 2021/2024 variants as affected.
Fixed versionsMicrosoft shipped fixes on 2026-05-12. Confirm KB5002858 for Word 2016 MSI and use the May 2026 Office security updates plus channel-specific Office update history for Click-to-Run/LTSC builds.
Scanning / exposure dataInternet census is mostly irrelevant. Shodan/Censys/FOFA won't meaningfully enumerate vulnerable Word endpoints because this is client software, not a listening network service. Your exposure count comes from endpoint/software inventory, not perimeter scanning.
Disclosure date2026-05-12 via Microsoft/NVD.
Reporter / researcherNot disclosed in the sources reviewed.
04 · The Call

noisgate verdict.

Final Verdict
UPGRADED to CRITICAL (9.1/10)

The decisive amplifier is the reported Preview Pane trigger, which turns this from a nominally local parser bug into an email-delivered endpoint RCE path that scales across normal user workflows. Even without KEV evidence, a no-open-document compromise route against a ubiquitous client stack is squarely a CRITICAL enterprise patching problem.

HIGH Core CVE metadata, vendor score/vector, disclosure date, and affected family are correct
MEDIUM Reassessment hinges on secondary-source reporting that Preview Pane is a viable trigger and that Microsoft marked exploitation as more likely
MEDIUM Exact fixed build numbers across every Click-to-Run/LTSC channel are not cleanly exposed in the primary advisory view

Why this verdict

  • Upgraded because reach is broader than AV:L implies: if Outlook Preview Pane triggers the bug, the attacker only needs to land mail in a mailbox, not local code execution first.
  • Huge exposed population: Office/Word/Outlook remain common on enterprise endpoints, so the reachable population is measured in user workstations, VDI pools, and shared terminal hosts, not a niche server role.
  • No-auth, no-open path matters more than the low EPSS: once a client RCE rides standard email workflows, modern perimeter controls have to be perfect while the attacker only needs one rendered payload.
  • Blast radius is user-context, not domain-admin by default: that keeps it below wormable infrastructure-tier flaws, but user-context on a knowledge-worker endpoint is still enough to steal mail, tokens, documents, and pivot.

Why not higher?

There is no verified KEV entry or confirmed in-the-wild exploitation in the reviewed sources. Also, this is still a client-side memory-corruption exploit whose final blast radius usually starts at the current user, not instant server-side or unauthenticated internet-service compromise.

Why not lower?

Downgrading this to ordinary HIGH would over-trust the vendor's AV:L label and ignore the reported inbox/Preview Pane delivery path. In a real enterprise, an email-borne no-open Office RCE is exactly the sort of bug that turns into widespread workstation compromise before asset owners finish debating CVSS semantics.

05 · Compensating Control

What to do — in priority order.

  1. Prioritize classic Outlook + Office endpoints — Find Windows systems running classic Outlook with vulnerable Office builds and treat them as the highest-risk slice. For a CRITICAL noisgate verdict, complete this exposure triage and temporary risk reduction within 3 days.
  2. Disable Preview Pane where operationally tolerable — If the business can absorb it, turn off Outlook Preview Pane or attachment preview handlers for high-risk groups to break the easiest trigger path. For this verdict, deploy the control within 3 days while patch rollout catches up.
  3. Tighten Office child-process controls — Use ASR/AppLocker/WDAC/EDR policy to block Office apps from spawning script engines, LOLBins, and unsigned payloads. This does not fix the bug, but it meaningfully reduces post-exploitation reliability and should be pushed within 3 days.
  4. Harden email handling for Office attachments — Increase detonation, quarantine, and external-attachment tagging for Word-bearing mail flows, especially for executives and finance users. As a compensating measure for a CRITICAL case, implement within 3 days.
  5. Watch for Office crash-and-spawn patterns — Build detections around OUTLOOK.EXE or WINWORD.EXE followed by unusual child processes, memory dumps, script interpreters, or persistence writes. Detection tuning is part of mitigation and belongs within 3 days here.
What doesn't work
  • Relying on macro blocking alone doesn't solve a memory-corruption parser bug; the exploit can fire before any macro decision point.
  • A network vulnerability scanner won't tell you much; this is endpoint software, not a remotely fingerprintable service.
  • Assuming email gateways are sufficient is risky because the dangerous step is legitimate rendering by Outlook/Word after delivery, not necessarily an obvious malicious executable attachment.
06 · Verification

Crowdsourced verification payload.

Run this on the target Windows endpoint or through your software-deployment/remote shell tooling with standard user rights; admin is only needed if your environment restricts registry/process inspection. Invoke with powershell -ExecutionPolicy Bypass -File .\Test-CVE-2026-40361.ps1 and it will output PATCHED, VULNERABLE, or UNKNOWN based on Office inventory it can verify locally.

noisgate-verify.ps1
POWERSHELLREAD-ONLYSAFE
# Test-CVE-2026-40361.ps1

# Purpose: Local validation aid for CVE-2026-40361 exposure on Windows Office endpoints.

# Logic:

#   - PATCHED if Word 2016 MSI patch KB5002858 is installed.

#   - VULNERABLE if known affected Office family is present and Word 2016 MSI patch is missing.

#   - UNKNOWN for Click-to-Run/LTSC families where this script can detect presence but not channel-specific fixed build conclusively.

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=ERROR


$ErrorActionPreference = 'Stop'

function Write-Result {
    param(
        [string]$Status,
        [string]$Reason,
        [int]$Code
    )
    Write-Output ("{0}: {1}" -f $Status, $Reason)
    exit $Code
}

try {
    $officeUninstallRoots = @(
        'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*',
        'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*'
    )

    $products = foreach ($root in $officeUninstallRoots) {
        Get-ItemProperty -Path $root -ErrorAction SilentlyContinue |
            Where-Object {
                $_.DisplayName -match 'Microsoft (Word|Office|Microsoft 365|Office LTSC|Office 2019|Office 2021|Office 2024)'
            } |
            Select-Object DisplayName, DisplayVersion, Publisher, InstallDate, PSChildName
    }

    $word2016Installed = $products | Where-Object { $_.DisplayName -match 'Word 2016' }
    $office2019Installed = $products | Where-Object { $_.DisplayName -match 'Office 2019' }
    $m365Installed = $products | Where-Object { $_.DisplayName -match 'Microsoft 365|Office 365|Microsoft 365 Apps' }
    $ltsc2021Installed = $products | Where-Object { $_.DisplayName -match 'LTSC 2021|Office 2021' }
    $ltsc2024Installed = $products | Where-Object { $_.DisplayName -match 'LTSC 2024|Office 2024' }

    $kb5002858 = Get-HotFix -Id KB5002858 -ErrorAction SilentlyContinue

    $ctrConfig = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration' -ErrorAction SilentlyContinue
    $ctrVersion = $null
    if ($ctrConfig) {
        $ctrVersion = $ctrConfig.VersionToReport
        if (-not $ctrVersion) { $ctrVersion = $ctrConfig.ClientVersionToReport }
    }

    # Case 1: Conclusive patch evidence for Word 2016 MSI

    if ($word2016Installed -and $kb5002858) {
        Write-Result -Status 'PATCHED' -Reason 'Word 2016 detected and KB5002858 is installed.' -Code 0
    }

    # Case 2: Conclusive vulnerable evidence for Word 2016 MSI

    if ($word2016Installed -and -not $kb5002858) {
        Write-Result -Status 'VULNERABLE' -Reason 'Word 2016 detected and KB5002858 was not found.' -Code 1
    }

    # Case 3: Click-to-Run / LTSC families detected but fixed build not conclusively mapped offline

    if ($m365Installed -or $ltsc2021Installed -or $ltsc2024Installed -or $office2019Installed -or $ctrVersion) {
        $details = @()
        if ($m365Installed) { $details += 'Microsoft 365 Apps present' }
        if ($ltsc2021Installed) { $details += 'Office LTSC 2021 / Office 2021 present' }
        if ($ltsc2024Installed) { $details += 'Office LTSC 2024 / Office 2024 present' }
        if ($office2019Installed) { $details += 'Office 2019 present' }
        if ($ctrVersion) { $details += ('ClickToRun version=' + $ctrVersion) }

        Write-Result -Status 'UNKNOWN' -Reason ('Affected Office family detected but exact fixed build is channel-specific and not conclusively validated by this offline script. ' + ($details -join '; ')) -Code 2
    }

    # Case 4: No obvious affected Office family found

    Write-Result -Status 'UNKNOWN' -Reason 'No clearly affected local Office product was detected, or product inventory is incomplete.' -Code 2
}
catch {
    Write-Result -Status 'UNKNOWN' -Reason ('Script error: ' + $_.Exception.Message) -Code 3
}
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: treat this as an email-borne Office client RCE and not as a routine local bug. Under the noisgate mitigation SLA, you should apply compensating controls immediately, within hours because the reported Preview Pane path materially changes exposure even without KEV; in practice that means prioritizing classic Outlook/Office endpoints, disabling Preview Pane where you can, and tightening Office child-process controls. Under the noisgate remediation SLA, complete the actual Microsoft patch rollout for all affected Office channels within 90 days, but your first-wave deployment should focus on the mail-heavy user population and any shared Windows endpoint estates in the first few days.

Sources

  1. NVD CVE-2026-40361
  2. Microsoft Security Update Guide
  3. Microsoft Support: May 2026 updates for Microsoft Office
  4. Microsoft Support: Word 2016 security update KB5002858
  5. Microsoft Learn: Update history for Microsoft 365 Apps
  6. Microsoft Learn: Update history for Office LTSC 2024 and Office 2024
  7. CISA Known Exploited Vulnerabilities Catalog
  8. SecurityWeek coverage of Preview Pane trigger
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.