cve-2026-40366

CVE-2026-40366 is a critical Microsoft Word remote code execution vulnerability disclosed on May 12, 2026. It is a use-after-free flaw that requires no privileges and can be triggered via the Preview Pane, making it especially dangerous. The vulnerability affects supported Office, Word 2016, Microsoft 365 Apps for Enterprise, Office LTSC, Office 2019, and Office for Mac releases. Official fixes are available through Microsoft's update channels. This is not a macro-based issue or a speculative advisory; it is a confirmed, actively exploitable bug in a widely used product. Users are urged to apply patches immediately to mitigate the risk of code execution without user interaction.