CVE-2026-40361

HIGH · 8.4 EPSS 0.1%

hype LIKELY HACK · 72 hack

Patch released, researcher claim, CTI activity reports, but no KEV; mixed vendor/community credibility.

What: Use-after-free in Microsoft Office Word and Outlook allows local code execution (CVSS 8.4 HIGH). Affects enterprise mail and document processing.

Why it matters: Microsoft released a patch on 2026-05-12, two days before social chatter peaked. Posts describe zero-click triggering via email preview in Outlook's shared rendering engine. A researcher claims discovery in Q1 2026. CTI team reports targeting activity. No KEV listing yet, but urgent patching and defender concern signal real exploitation risk.

Where it's seen: Microsoft Security Response Center advisory cited across Bluesky and X. Researcher claims discoverer credit. Cybersecurity news outlets and VulDB flagging "critical 0-click" angle. Chatter emphasizes enterprise inbox risk and cross-product impact (Word/Outlook).

RISK: HIGH — Use-after-free RCE with zero-click trigger; patch available; targeting observed; high CVSS.

Generated by claude-haiku-4-5 from public posts and authoritative metadata. AI can make mistakes — verify against vendor advisories before acting. 5/14/2026, 5:34:36 AM

Description

Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.

CVSS 3.1 breakdown

Exploitability 2.5 · Impact 5.9

vector CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack vector: Local
Complexity: Low
Privileges required: None
User interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High

Weaknesses

CWE-416

References

Other · 1

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40361