CVE-2026-40363
published 2026-05-12CVE-2026-40363: Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
high8.4CVSS 3.1
AVLACLPRNUINSUCHIHAH
Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | microsoft_365_apps_for_enterprise | >= 16.0.1 < https://aka.ms/OfficeSecurityReleases | https://aka.ms/OfficeSecurityReleases |
| microsoft | microsoft_office_2016 | >= 16.0.0 < 16.0.5552.1000 | 16.0.5552.1000 |
| microsoft | microsoft_office_2019 | >= 19.0.0 < https://aka.ms/OfficeSecurityReleases | https://aka.ms/OfficeSecurityReleases |
| microsoft | microsoft_office_for_android | >= 16.0.1 < 16.0.19822.20190 | 16.0.19822.20190 |
| microsoft | microsoft_office_ltsc_2021 | >= 16.0.1 < https://aka.ms/OfficeSecurityReleases | https://aka.ms/OfficeSecurityReleases |
| microsoft | microsoft_office_ltsc_2024 | >= 16.0.0 < https://aka.ms/OfficeSecurityReleases | https://aka.ms/OfficeSecurityReleases |
| microsoft | microsoft_office_ltsc_for_mac_2021 | >= 16.0.1 < 16.109.26051019 | 16.109.26051019 |
| microsoft | microsoft_office_ltsc_for_mac_2024 | >= 16.0.0 < 16.109.26051019 | 16.109.26051019 |
| microsoft | office | < 16.0.19822.20190 | 16.0.19822.20190 |
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office_long_term_servicing_channel | — | — |
| microsoft | office_long_term_servicing_channel | — | — |