Microsoft’s May 2026 security updates include two critical Microsoft Word remote code execution flaws that matter for Outlook users because the Preview Pane is an attack vector. CVE-2026-40361 is a use-after-free issue in Word, while CVE-2026-40364 involves type confusion and related memory-safety weaknesses. Microsoft rates both as Critical, with CVSS 8.4, and marks exploitation as more likely [1][2].
Neither CVE is listed as publicly disclosed or exploited at publication time, but the delivery path is what makes them useful to attackers. A malicious document does not have to look like a suspicious installer; it can arrive as an attachment and be rendered by the Office/Outlook preview flow. That makes this more relevant to everyday email security than a normal local file bug.
Why Preview Pane Changes the Risk
Microsoft’s advisory explains the wording carefully: the attacker is remote, while the vulnerable code executes locally when the crafted content is processed. For defenders, the practical result is simple. If Word and Outlook are patched late, a mailbox can become the delivery lane and the endpoint becomes the execution point. This is also why email filtering alone is not enough: a file that looks like a normal document may still reach a user or shared mailbox before signatures and sandbox verdicts catch up.
The first response is to deploy the May Office updates quickly across desktop Office, Microsoft 365 Apps, terminal servers, VDI pools, and any system that previews Word documents through Office components. The second response is exposure control. Until patching is complete, reduce automatic preview of Office documents where policy allows, keep Protected View and attachment handling controls enabled, and pay attention to mailboxes that receive unsolicited resumes, invoices, legal notices, school forms, purchase orders, or support attachments.
Incident review should focus on attachment handling rather than only endpoint alerts. Look for recent Word attachments from unknown senders, documents opened from Outlook preview, Office crash events, child processes spawned by Office applications, and outbound connections shortly after document rendering. Gridinsoft has covered related Microsoft email risk before, including Outlook vulnerabilities used by Russian hackers, Microsoft AiTM phishing, and campaigns where malware spread through WhatsApp and Outlook lures. The same rule applies here: treat document preview as part of the attack surface, not as a harmless convenience.
For home users and small teams, the useful checklist is short: install the Office updates, restart Office apps, avoid previewing unexpected Word attachments until updates are confirmed, and scan any machine that recently opened a suspicious document. For managed environments, confirm update compliance before relying on user warnings, because this class of bug is strongest when the user never thinks they actively opened anything dangerous.
References
- Microsoft Security Response Center, “CVE-2026-40361 Microsoft Word Remote Code Execution Vulnerability,” May 12, 2026. Advisory
- Microsoft Security Response Center, “CVE-2026-40364 Microsoft Word Remote Code Execution Vulnerability,” May 12, 2026. Advisory
Related Microsoft mail risk: Microsoft later flagged Exchange Server CVE-2026-42897 as exploited through a crafted OWA email path, with temporary protection delivered through Exchange Emergency Mitigation Service.
