{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/office-word/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-41101"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office Word"],"_cs_severities":["medium"],"_cs_tags":["cve","spoofing","office","word"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-41101 is a security vulnerability affecting Microsoft Office Word. The vulnerability stems from an improper access control issue that allows an authorized attacker to perform spoofing locally. This could potentially allow an attacker with local access to the system to manipulate the user interface or other elements within Word to mislead the user. The vulnerability has a CVSS v3.1 score of 7.1, indicating a high severity level. This vulnerability was disclosed on May 12, 2026, and requires a patch from Microsoft to mitigate the risk. Defenders should prioritize applying the necessary updates to prevent potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains local access to a system with a vulnerable version of Microsoft Office Word.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious Word document or utilizes an existing document.\u003c/li\u003e\n\u003cli\u003eThe malicious document leverages the improper access control vulnerability.\u003c/li\u003e\n\u003cli\u003eThe vulnerability is triggered when the crafted document is opened by a user with Word.\u003c/li\u003e\n\u003cli\u003eThe attacker spoofs elements within the Word interface.\u003c/li\u003e\n\u003cli\u003eThe spoofing misleads the user, potentially leading to further actions.\u003c/li\u003e\n\u003cli\u003eAttacker achieves their objective, such as gaining access to sensitive information or tricking the user into running malicious code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41101 could allow a local attacker to spoof elements within Microsoft Word, potentially misleading users and leading to further malicious activity. While the impact is limited to local users, the ability to spoof the interface could be used to trick users into providing sensitive information or executing malicious code. The CVSS score of 7.1 reflects the high potential for impact, particularly in environments where local security is not strictly enforced.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update released by Microsoft to patch CVE-2026-41101 as soon as possible by checking the Microsoft Security Update Guide referenced in this brief.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-41101 Exploitation Attempt via Suspicious Word Process Creation\u0026rdquo; to your SIEM to detect potential exploitation attempts in your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual Word child processes using the \u003ccode\u003eprocess_creation\u003c/code\u003e log source to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T18:52:01Z","date_published":"2026-05-12T18:52:01Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-41101-word-spoofing/","summary":"CVE-2026-41101 is a vulnerability in Microsoft Office Word due to improper access control, which allows an authorized attacker to perform spoofing locally, with a CVSS v3.1 base score of 7.1.","title":"CVE-2026-41101: Microsoft Office Word Improper Access Control Vulnerability Leading to Local Spoofing","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-41101-word-spoofing/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2026-40367"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office Word"],"_cs_severities":["high"],"_cs_tags":["cve-2026-40367","office-word","rce","untrusted-pointer-dereference","execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-40367 is an untrusted pointer dereference vulnerability affecting Microsoft Office Word. This vulnerability enables an unauthorized attacker to execute arbitrary code locally on a vulnerable system. The vulnerability stems from improper handling of memory pointers within the application, leading to a situation where a maliciously crafted document can trigger the dereference of an untrusted pointer. Successful exploitation allows attackers to gain control over the affected system, potentially leading to data theft, malware installation, or further unauthorized activities. This vulnerability poses a significant risk to organizations and individuals using Microsoft Office Word, as it can be exploited through social engineering tactics, such as distributing malicious documents via email or other communication channels.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Word document designed to trigger the untrusted pointer dereference vulnerability (CVE-2026-40367).\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the malicious document to a target user via email, shared network drive, or other means.\u003c/li\u003e\n\u003cli\u003eThe target user opens the malicious document in Microsoft Office Word.\u003c/li\u003e\n\u003cli\u003eUpon opening the document, the vulnerable code path is triggered, causing the application to attempt to dereference an untrusted pointer.\u003c/li\u003e\n\u003cli\u003eThe untrusted pointer dereference leads to the execution of arbitrary code within the context of the Word process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the code execution to install malware, establish persistence, or perform other malicious activities on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to escalate privileges or move laterally within the network, depending on the initial access level.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40367 allows an attacker to execute arbitrary code on a target system with the privileges of the user running Microsoft Office Word. This can lead to complete system compromise, including data theft, malware installation, and denial of service. Given the widespread use of Microsoft Office Word, this vulnerability has the potential to affect a large number of users and organizations. If successful, an attacker could gain a foothold within an organization\u0026rsquo;s network and use it as a launching point for further attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update released by Microsoft to patch CVE-2026-40367 as soon as possible.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect potential exploitation attempts targeting CVE-2026-40367.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks of opening documents from untrusted sources to mitigate the risk of social engineering attacks.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual or suspicious processes spawned by Microsoft Word, as indicated in the Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T18:43:21Z","date_published":"2026-05-12T18:43:21Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40367-word-rce/","summary":"CVE-2026-40367 is an untrusted pointer dereference vulnerability in Microsoft Office Word that allows an unauthorized attacker to execute code locally with a CVSS v3.1 base score of 8.4.","title":"CVE-2026-40367: Microsoft Office Word Untrusted Pointer Dereference Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40367-word-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2026-40366"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office Word"],"_cs_severities":["high"],"_cs_tags":["use-after-free","code-execution","cve-2026-40366"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-40366 is a use-after-free vulnerability affecting Microsoft Office Word. This vulnerability allows an attacker with local access to execute arbitrary code. The vulnerability stems from improper memory management within the application, where a pointer to a freed memory region is dereferenced, leading to exploitable conditions. While the specific exploitation details are not available, the potential for arbitrary code execution makes this a high-severity vulnerability requiring immediate attention from security teams. The vulnerability was reported to Microsoft and assigned CVE-2026-40366.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eDue to the nature of use-after-free vulnerabilities and the lack of specific exploitation details, a generic attack chain is described below:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious Word document with a specific structure triggering the memory corruption.\u003c/li\u003e\n\u003cli\u003eThe user opens the malicious document in Microsoft Office Word.\u003c/li\u003e\n\u003cli\u003eThe application processes the document, leading to the use-after-free condition.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the use-after-free vulnerability to overwrite a critical data structure in memory.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the program execution flow.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into the Word process.\u003c/li\u003e\n\u003cli\u003eThe injected code executes with the privileges of the Word process.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves local code execution on the victim\u0026rsquo;s machine.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40366 allows an attacker to execute arbitrary code on the victim\u0026rsquo;s machine with the privileges of the Microsoft Office Word application. This can lead to complete system compromise, data theft, installation of malware, or other malicious activities. The vulnerability impacts any environment where vulnerable versions of Microsoft Office Word are used.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch released by Microsoft to address CVE-2026-40366 as soon as possible (Reference: \u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40366)\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40366)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Word Process Creation\u003c/code\u003e to identify potential exploitation attempts (see rule below).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging to provide the necessary data for the deployed Sigma rules (see rule logsource).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T18:43:06Z","date_published":"2026-05-12T18:43:06Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40366-word-uaf/","summary":"CVE-2026-40366 is a use-after-free vulnerability in Microsoft Office Word allowing local code execution by an unauthorized attacker.","title":"CVE-2026-40366: Microsoft Office Word Use-After-Free Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40366-word-uaf/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2026-40364"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office Word"],"_cs_severities":["high"],"_cs_tags":["cve-2026-40364","type confusion","code execution","office word","msword"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-40364 is a type confusion vulnerability in Microsoft Office Word that can lead to arbitrary code execution. An attacker could potentially exploit this vulnerability to execute code locally with the privileges of the current user. The vulnerability arises from improper handling of object types within Word, leading to memory corruption when processing specially crafted documents. While the specifics of exploitation are not detailed in the advisory, the high CVSS score and potential for local code execution make this a significant threat for systems running affected versions of Microsoft Office Word. Defenders should prioritize patching and consider implementing proactive detection measures to identify potential exploitation attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Word document containing a payload designed to trigger the type confusion vulnerability (CVE-2026-40364).\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the crafted document to a target user via email, shared drive, or other means.\u003c/li\u003e\n\u003cli\u003eThe user opens the malicious document in Microsoft Office Word.\u003c/li\u003e\n\u003cli\u003eWord attempts to process the document, triggering the type confusion vulnerability due to the incompatible object types.\u003c/li\u003e\n\u003cli\u003eThe type confusion error leads to memory corruption within the Word process.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s payload leverages the memory corruption to overwrite critical data structures.\u003c/li\u003e\n\u003cli\u003eThe overwritten data structures are manipulated to redirect execution flow to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves local code execution with the privileges of the user, potentially leading to further malicious actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40364 allows an attacker to execute arbitrary code locally on a vulnerable system. The impact is significant, potentially allowing an attacker to install malware, steal sensitive data, or perform other malicious actions with the privileges of the logged-on user. Given the widespread use of Microsoft Office Word, this vulnerability poses a substantial risk to a large number of users and organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update released by Microsoft to patch CVE-2026-40364 as soon as possible (reference: \u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40364)\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40364)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Process Creation from Winword.exe\u0026rdquo; to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnable and review Microsoft Office\u0026rsquo;s Protected View settings to mitigate the risk of malicious documents.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening unsolicited or suspicious documents.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T18:35:37Z","date_published":"2026-05-12T18:35:37Z","id":"https://feed.craftedsignal.io/briefs/2026-05-office-word-type-confusion/","summary":"Microsoft Office Word is vulnerable to CVE-2026-40364, a type confusion vulnerability that allows an unauthorized attacker to execute code locally.","title":"CVE-2026-40364: Microsoft Office Word Type Confusion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-office-word-type-confusion/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2026-40361"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office Word"],"_cs_severities":["high"],"_cs_tags":["cve-2026-40361","use-after-free","code-execution","office-word","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-40361 is a use-after-free vulnerability affecting Microsoft Office Word. This vulnerability allows an unauthorized attacker to execute code locally on a vulnerable system. The vulnerability resides in how Word handles certain objects in memory. If an object is freed and later accessed again, it can lead to arbitrary code execution. An attacker could potentially exploit this vulnerability by crafting a malicious Word document that, when opened, triggers the use-after-free condition. Successful exploitation could allow the attacker to execute arbitrary code in the context of the current user. This poses a significant risk to organizations as it could lead to data breaches, malware infections, or system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Microsoft Word document containing a specially crafted object designed to trigger the use-after-free vulnerability (CVE-2026-40361).\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious Word document to the victim via email or other means of file transfer.\u003c/li\u003e\n\u003cli\u003eThe victim opens the malicious Word document using a vulnerable version of Microsoft Office Word.\u003c/li\u003e\n\u003cli\u003eWord attempts to process the crafted object within the document.\u003c/li\u003e\n\u003cli\u003eThe vulnerability is triggered when Word attempts to access a memory location that has already been freed.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the program counter due to the use-after-free condition.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this control to execute arbitrary code on the victim\u0026rsquo;s machine.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform malicious actions such as installing malware, stealing sensitive data, or gaining further access to the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40361 allows an attacker to execute arbitrary code locally on the victim\u0026rsquo;s machine. This could lead to a complete compromise of the affected system, including data theft, malware installation, and lateral movement within the network. Given the widespread use of Microsoft Office Word, this vulnerability poses a significant risk to a large number of users and organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eApply the security update provided by Microsoft to patch CVE-2026-40361 in Microsoft Office Word as soon as possible. Reference: \u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40361\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40361\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening unsolicited or suspicious Word documents to mitigate the initial access vector.\u003c/li\u003e\n\u003cli\u003eEnable and monitor process creation logs on endpoints to detect suspicious processes spawned by Microsoft Word.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T18:34:49Z","date_published":"2026-05-12T18:34:49Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40361-word-uaf/","summary":"CVE-2026-40361 is a use-after-free vulnerability in Microsoft Office Word that allows an unauthorized attacker to execute code locally.","title":"CVE-2026-40361: Microsoft Office Word Use-After-Free Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40361-word-uaf/"}],"language":"en","title":"CraftedSignal Threat Feed — Office Word","version":"https://jsonfeed.org/version/1.1"}