You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
cve-2026-40420
About this tag
CVE-2026-40420 is an Important-rated elevation-of-privilege vulnerability in Microsoft Office Click-To-Run, disclosed by Microsoft on May 12, 2026. It affects Microsoft 365 Apps for Enterprise, Office 2019, Office LTSC 2021, and Office LTSC 2024. While not a remote-code-execution flaw, it allows a low-privileged local attacker to gain SYSTEM privileges, with a scope change that may indicate a browser sandbox escape. Administrators should treat this as a post-compromise accelerator rather than a typical Office bug. Discussions on WindowsForum cover the technical details, exploitation likelihood, and mitigation strategies for this vulnerability.
Microsoft disclosed CVE-2026-40420 on May 12, 2026, as an Important-rated elevation-of-privilege vulnerability in Microsoft Office Click-To-Run affecting Microsoft 365 Apps for Enterprise and supported Office 2019, Office LTSC 2021, and Office LTSC 2024 installations. The bug is not a...