cve-2026-40363

CVE-2026-40363 is a critical Microsoft Office remote code execution vulnerability disclosed by Microsoft on May 12, 2026. It stems from a heap-based buffer overflow that can be triggered through the Preview Pane, making document handling a security risk. The flaw affects Microsoft 365 Apps, Office 2016, Office 2019, Office LTSC 2021 and 2024, as well as Office for Mac and Android. While Microsoft rates exploitation as less likely and has not observed active attacks, the Preview Pane attack vector demands prompt patching. Administrators should prioritize applying the security update and verifying its installation across affected systems to mitigate potential exploitation of CVE-2026-40363.