Skip to content
Threat Feed
high advisory

CVE-2026-40418: Microsoft Office Click-To-Run Use-After-Free Vulnerability

CVE-2026-40418 is a use-after-free vulnerability in Microsoft Office Click-To-Run that allows an authorized attacker to elevate privileges locally.

CVE-2026-40418 is a use-after-free vulnerability affecting Microsoft Office Click-To-Run. This vulnerability allows an attacker with local access and authorization to elevate their privileges on the system. The vulnerability arises from improper memory management within the Click-To-Run component. An authorized attacker could potentially exploit this flaw to execute arbitrary code with elevated privileges, leading to unauthorized access and control over the affected system. Successful exploitation requires the attacker to already have some level of access to the target machine.

Attack Chain

  1. Attacker gains initial authorized access to the target system.
  2. Attacker identifies a process using the vulnerable Microsoft Office Click-To-Run component.
  3. Attacker triggers the use-after-free condition within the Office Click-To-Run application by sending a specially crafted input.
  4. The application attempts to access a previously freed memory location, causing a crash or unexpected behavior.
  5. Attacker leverages the use-after-free vulnerability to corrupt memory and redirect execution flow.
  6. Attacker injects malicious code into memory.
  7. The injected code is executed with the privileges of the Office Click-To-Run application.
  8. Attacker elevates privileges and gains unauthorized control over the system.

Impact

Successful exploitation of CVE-2026-40418 allows an authorized local attacker to elevate their privileges on the targeted system. This could lead to complete system compromise, including unauthorized access to sensitive data, installation of malware, and modification of system configurations. Given the widespread use of Microsoft Office, this vulnerability could potentially affect numerous organizations and individuals.

Recommendation

  • Apply the security update provided by Microsoft to patch CVE-2026-40418 on all systems running Microsoft Office Click-To-Run as soon as possible (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40418).
  • Implement the Sigma rule “Detect CVE-2026-40418 Exploitation Attempt — Suspicious Office Process Memory Access” to detect potential exploitation attempts.
  • Monitor for suspicious process behavior and memory access patterns in Microsoft Office Click-To-Run processes.
  • Restrict local access to systems running Microsoft Office Click-To-Run to minimize the attack surface.

Detection coverage 2

Detect CVE-2026-40418 Exploitation Attempt — Suspicious Office Process Memory Access

high

Detects CVE-2026-40418 exploitation attempt — Monitors for suspicious memory access patterns from Microsoft Office Click-To-Run processes.

sigma tactics: privilege_escalation techniques: T1068 sources: process_creation, windows

Detect CVE-2026-40418 Exploitation Attempt — Office Click-To-Run Process Spawning Suspicious Child Process

medium

Detects CVE-2026-40418 exploitation attempt — Monitors for Microsoft Office Click-To-Run processes spawning cmd.exe or powershell.exe as a child process, indicating potential code execution.

sigma tactics: execution, privilege_escalation techniques: T1059.001, T1068 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →