CVE-2026-40364

Summary

Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.

Affected Software

VendorProductVersion RangeStatus
MicrosoftMicrosoft 365 Apps for Enterprise16.0.1 < https://aka.ms/OfficeSecurityReleasesaffected
MicrosoftMicrosoft Office 201919.0.0 < https://aka.ms/OfficeSecurityReleasesaffected
MicrosoftMicrosoft Office LTSC 202116.0.1 < https://aka.ms/OfficeSecurityReleasesaffected
MicrosoftMicrosoft Office LTSC 202416.0.0 < https://aka.ms/OfficeSecurityReleasesaffected
MicrosoftMicrosoft Office LTSC for Mac 202116.0.1 < 16.109.26051019affected
MicrosoftMicrosoft Office LTSC for Mac 202416.0.0 < 16.109.26051019affected
MicrosoftMicrosoft Word 201616.0.1 < 16.0.5552.1000affected

Weaknesses

  • CWE-843: CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')
  • CWE-908: CWE-908: Use of Uninitialized Resource
  • CWE-122: CWE-122: Heap-based Buffer Overflow

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References