CVE-2026-40367

Summary

Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.

Affected Software

VendorProductVersion RangeStatus
MicrosoftMicrosoft 365 Apps for Enterprise16.0.1 < https://aka.ms/OfficeSecurityReleasesaffected
MicrosoftMicrosoft Office 201919.0.0 < https://aka.ms/OfficeSecurityReleasesaffected
MicrosoftMicrosoft Office LTSC 202116.0.1 < https://aka.ms/OfficeSecurityReleasesaffected
MicrosoftMicrosoft Office LTSC 202416.0.0 < https://aka.ms/OfficeSecurityReleasesaffected
MicrosoftMicrosoft Office LTSC for Mac 202116.0.1 < 16.109.26051019affected
MicrosoftMicrosoft Office LTSC for Mac 202416.0.0 < 16.109.26051019affected
MicrosoftMicrosoft SharePoint Enterprise Server 201616.0.0 < 16.0.5552.1002affected
MicrosoftMicrosoft SharePoint Server 201916.0.0 < 16.0.10417.20128affected
MicrosoftMicrosoft SharePoint Server Subscription Edition16.0.0 < 16.0.19725.20280affected
MicrosoftMicrosoft Word 201616.0.1 < 16.0.5552.1000affected

Weaknesses

  • CWE-822: CWE-822: Untrusted Pointer Dereference

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References