Skip to content
Threat Feed
high threat

CVE-2026-40363: Microsoft Office Heap-based Buffer Overflow

A heap-based buffer overflow vulnerability in Microsoft Office allows an unauthenticated, local attacker to execute arbitrary code.

CVE-2026-40363 is a heap-based buffer overflow vulnerability affecting Microsoft Office. An unauthorized attacker could exploit this vulnerability to execute arbitrary code on a local system. The vulnerability stems from improper memory management within the Office suite when handling specific file formats or data structures. Successful exploitation of this vulnerability could allow an attacker to gain control of the affected system, potentially leading to data theft, system compromise, or further malicious activities. Defenders should prioritize patching this vulnerability to prevent potential exploitation.

Attack Chain

  1. An attacker crafts a malicious document (e.g., Word, Excel, PowerPoint) specifically designed to trigger the heap-based buffer overflow within Microsoft Office.
  2. The attacker convinces a user to open the malicious document locally via social engineering.
  3. Microsoft Office attempts to parse the malicious document, leading to the heap-based buffer overflow when handling a specific data structure.
  4. The buffer overflow allows the attacker to overwrite memory on the heap, potentially corrupting critical data structures or injecting malicious code.
  5. The attacker leverages the memory corruption to gain control of the program counter and redirect execution flow to the injected malicious code.
  6. The injected code executes with the privileges of the Microsoft Office application.
  7. The attacker can now perform arbitrary actions on the local system, such as installing malware, stealing sensitive data, or creating new user accounts.
  8. The attacker achieves their objective, such as gaining persistent access to the system or exfiltrating sensitive data.

Impact

Successful exploitation of CVE-2026-40363 allows a local attacker to execute arbitrary code with the privileges of the Microsoft Office application, potentially leading to full system compromise. This could result in data theft, malware installation, or further lateral movement within the network. The vulnerability is classified as HIGH severity with a CVSS score of 8.4. While the number of victims is currently unknown, the widespread use of Microsoft Office makes this a critical vulnerability to address.

Recommendation

  • Patch CVE-2026-40363 by applying the latest Microsoft Office updates from the Microsoft Security Response Center (MSRC) advisory.
  • Enable Microsoft Defender for Office 365 with exploit protection enabled.
  • Deploy the Sigma rules in this brief to your SIEM to detect exploitation attempts.
  • Monitor process creation events for unusual child processes spawned by Microsoft Office applications.
  • Train users to be cautious about opening unsolicited or suspicious documents, especially from unknown sources.

Detection coverage 2

Detects CVE-2026-40363 Exploitation - Suspicious Office Child Process

high

Detects CVE-2026-40363 exploitation — Monitors for unusual child processes spawned by Microsoft Office applications, which may indicate successful code execution.

sigma tactics: execution techniques: T1059.001 sources: process_creation, windows

Detects CVE-2026-40363 Attempt - Office Application Spawning Unusual Network Connection

medium

Detects CVE-2026-40363 exploitation attempts — Monitors for network connections initiated by Office applications to uncommon ports or IP addresses.

sigma tactics: command_and_control techniques: T1071.001 sources: network_connection, windows

Detection queries are available on the platform. Get full rules →