Skip to content
Threat Feed
high advisory

CVE-2026-40359: Microsoft Excel Use-After-Free Vulnerability

CVE-2026-40359 is a use-after-free vulnerability in Microsoft Office Excel that allows a local attacker to execute arbitrary code by exploiting memory corruption.

CVE-2026-40359 is a use-after-free (UAF) vulnerability affecting Microsoft Office Excel. This vulnerability allows an unauthorized, local attacker to execute arbitrary code. The vulnerability exists due to improper handling of memory objects within Excel, leading to a situation where freed memory is accessed again. Successful exploitation allows the attacker to gain control over the affected system. This vulnerability was published on May 12, 2026, and poses a significant risk to systems running vulnerable versions of Microsoft Excel. An attacker could potentially leverage this vulnerability to install malware, steal sensitive data, or perform other malicious activities.

Attack Chain

  1. The attacker crafts a malicious Excel file designed to trigger the use-after-free condition.
  2. The victim opens the specially crafted Excel file.
  3. Excel attempts to access a memory location that has already been freed.
  4. The use-after-free condition leads to memory corruption.
  5. The attacker leverages the memory corruption to overwrite critical data structures within the Excel process.
  6. The attacker gains control of the program counter by overwriting a function pointer or similar mechanism.
  7. The attacker redirects execution flow to attacker-controlled code.
  8. The attacker executes arbitrary code within the context of the Excel process, potentially gaining local code execution.

Impact

Successful exploitation of CVE-2026-40359 allows an attacker to execute arbitrary code locally on a targeted system. Given the ubiquitous use of Microsoft Excel in various sectors, a successful exploit can lead to significant damage, including data theft, malware installation, and potential system compromise. The CVSS v3.1 base score of 7.8 reflects the high potential impact, especially considering the ease of local exploitation if a user opens a malicious Excel file.

Recommendation

  • Apply the security update provided by Microsoft to patch CVE-2026-40359 in Microsoft Office Excel as soon as possible, as referenced in the provided URL.
  • Deploy the Sigma rule Detect Excel Use-After-Free via Suspicious Process Creation to identify potential exploitation attempts based on unusual processes spawned by Excel.
  • Enable process creation logging to capture events necessary for the Sigma rule.

Detection coverage 1

Detect Excel Use-After-Free via Suspicious Process Creation

high

Detects CVE-2026-40359 exploitation - Monitors for unusual process creations spawned by Excel that may indicate code execution.

sigma tactics: execution, privilege_escalation techniques: T1059.001 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →