Microsoft’s May 12, 2026 Patch Tuesday shipped fixes for four remote code execution vulnerabilities in Word: CVE-2026-40361, CVE-2026-40364, CVE-2026-40366 and CVE-2026-40367. All four carry the same CVSS score, 8.4, and they share one detail that makes them nastier than the number suggests: the Windows Preview Pane acts as an attack vector.
What “Preview Pane as a vector” means
When you select a file in Windows Explorer or read a message in Outlook, the Preview Pane renders the document content without you opening it. For a Word flaw that triggers while parsing a crafted document, that removes a step from the attack. The victim doesn’t have to double-click or press “Enable Editing.” The malicious file only needs to pass through the preview for the attacker’s code to get its chance to run.
The attack still depends on the document reaching the machine. Microsoft classifies the vector as social engineering: an email attachment, a shared file, a download. This isn’t a worm that spreads across the network on its own.
Severity and likelihood
Microsoft tagged CVE-2026-40361 and CVE-2026-40364 as “Exploitation More Likely” in its exploitability index. That’s the rating it reserves for flaws whose pattern looks attractive and technically tractable to anyone building an exploit. The other two, CVE-2026-40366 and CVE-2026-40367, landed at a lower likelihood.
Microsoft rates the set as critical. Code runs with the privileges of the user who has Word open, so the real damage depends on which account the victim works under. On a workstation where the user is a local administrator, the reach is total.
Who’s affected and what to do
The affected product is Microsoft Word across its desktop editions inside the Office suite. Microsoft didn’t list specific version numbers in the advisory beyond naming the product.
The fix is straightforward: install the May 2026 security updates through Windows Update or the Microsoft 365 / Office update channel. If you manage a fleet, prioritize these patches, because two of the four flaws are flagged as more likely to be exploited and the Preview Pane strips away the last bit of user interaction.
While you roll out patches, one measure cuts exposure: turn off the Preview Pane in Explorer and in Outlook for Office attachments. It doesn’t replace the patch, but it closes the attacker’s easiest path. And the usual hygiene still holds: be wary of unsolicited Word documents, especially those arriving by email from external senders.
If you’re on Linux and open these files with LibreOffice or OnlyOffice instead of Word, this particular flaw doesn’t touch you, since it lives in Microsoft Word’s own code. Worth keeping in mind on mixed setups where Windows and Linux workstations coexist.
Source
- Tenable, May 2026 Patch Tuesday analysis: https://www.tenable.com/blog/microsofts-may-2026-patch-tuesday-addresses-118-cves-cve-2026-41103
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40361