Microsoft has officially published CVE-2026-35440, a newly disclosed information disclosure vulnerability affecting Microsoft Word. The advisory appeared in the Security Update Guide on May 12, 2026, as part of the routine May Patch Tuesday release cycle for Office fixes.

Information disclosure vulnerabilities in productivity software like Word present a unique risk profile. Unlike remote code execution flaws, these vulnerabilities do not allow attackers to run arbitrary code, but they can leak sensitive data from a targeted system. In the context of a word processing application, attackers might craft a document that, when opened, triggers a leakage of memory contents, file data, or even authentication tokens. Microsoft’s advisory for CVE-2026-35440 does not go into specific technical detail—it often withholds such information until after patches are widely deployed—but the classification alone signals a need for immediate attention.

Understanding Information Disclosure in Microsoft Word

At a technical level, an information disclosure vulnerability in a complex application like Word can stem from a variety of root causes. Common culprits include out-of-bounds reads, uninitialized memory access, or improper handling of file parsers. When a specially crafted document is processed, the vulnerable component may read beyond the bounds of a buffer or fail to clear memory before presenting it, thereby exposing residual data. This data could include fragments of previous documents, system information, or even decrypted content intended for an authenticated session.

The impact of such a bug is often rated as “Important” under Microsoft’s severity classification, which corresponds to a CVSS base score in the range of 6.0 to 7.9. While not as severe as a “Critical” remote code execution bug, an information disclosure can serve as a stepping stone in a larger attack. For example, leaked memory could reveal heap addresses, aiding in the development of a more complex exploit that bypasses protections like Address Space Layout Randomization (ASLR). In targeted espionage campaigns, the information itself might be the objective, such as revealing portions of a classified document stored in memory simultaneously.

What We Know About CVE-2026-35440

Based solely on the Security Update Guide entry published on May 12, 2026, the following facts are confirmed:
- The CVE identifier is CVE-2026-35440.
- It is classified as an information disclosure vulnerability.
- The affected product is Microsoft Word.
- The fix is included in the May 2026 Patch Tuesday updates for Office.
- The vulnerability was disclosed responsibly, implying a report to Microsoft before public release.

Microsoft has not yet provided a CVSS score, exploitability index, or a list of affected versions. Typically, such details are refined in the days following Patch Tuesday as the advisory is updated. The initial publication often contains only the basic information necessary to alert users and administrators.

What We Don’t Know—and Why It Matters

Several critical pieces of information are pending:
- Attack vector: Is the vulnerability exploitable via email (opening an attachment), web-based downloads, or network shares? Most Word vulnerabilities require user interaction, but the preview pane attack vector remains a question mark until Microsoft confirms.
- Affected components: Does the flaw reside in the Word graphics engine, the DOCX parser, legacy binary format handling, or a third-party component incorporated into Office?
- Mitigating factors: Could Protected View or Application Guard prevent exploitation? Is the vulnerability restricted to specific file extensions?
- Exploitation status: At the time of publication, Microsoft typically indicates whether the vulnerability is being actively exploited. If no such note exists, it is assumed not to be under active attack, but this can change rapidly.

The absence of these details complicates risk assessment for security teams. However, the prudent approach is to assume a worst-case scenario: that the vulnerability is exploitable by convincing a user to open a malicious document, and that no configuration-based mitigations fully block it. Until proven otherwise, patching is the only reliable defense.

The May 2026 Patch Tuesday Context

Patch Tuesday—the second Tuesday of each month—is when Microsoft releases its regular security updates. The May 2026 installment addresses vulnerabilities across the ecosystem, including Windows, Edge, Office, and development tools. CVE-2026-35440 is one among a likely larger set of Office fixes. In recent years, Microsoft has shifted to using the Common Vulnerability Scoring System (CVSS) for severity rating, and it provides an Exploitability Index to help prioritize deployment.

Enterprise administrators should consult the full Security Update Guide to see the complete list of CVEs addressed in May 2026. The updates are cumulative, meaning that installing the latest Office security update resolves all previously known vulnerabilities for that product branch. It is essential to note that different Office update channels (Current Channel, Monthly Enterprise Channel, Semi-Annual Enterprise Channel) receive patches at different cadences; the Patch Tuesday release typically applies to all supported channels.

Historical Perspective: Word Information Disclosure Flaws

CVE-2026-35440 is not an isolated incident. Microsoft Word has been targeted for information disclosure in the past. For instance, CVE-2022-24457 and CVE-2020-1447 were similar bugs that allowed attackers to read memory contents through malformed documents. The common thread is that these vulnerabilities often arise from parsing complexity. Word’s file format support spans decades of legacy formats, including .doc, .rtf, and macro-enabled templates, each with its own parsing rules and potential pitfalls.

Over the years, Microsoft has invested in hardening Office through sandboxing technologies like Protected View and Application Guard, as well as by disabling legacy features by default. However, each new Patch Tuesday can reveal a fresh vector that bypasses existing defenses. This is why regular updates are not just a checkbox exercise but a critical component of defense-in-depth.

Mitigations and Workarounds

While we await full technical details, several generic mitigations can reduce the risk from Word-based information disclosure attacks:

  1. Apply the May 2026 Office security update. The patch is the definitive fix. For most users, this means ensuring Microsoft Update is enabled. In managed environments, deploy via WSUS, Configuration Manager, or Intune.
  2. Enable Protected View. In Office Trust Center settings, ensure that files from the internet and other unsafe locations open in Protected View, which limits what the document can do.
  3. Use Application Guard for Office. This opens untrusted documents inside a virtualized container, isolating the host system from potential attacks.
  4. Disable the Preview Pane. In Windows Explorer and Outlook, turning off the Preview Pane prevents documents from being rendered without explicit user interaction.
  5. Implement email filtering. Block common malicious attachment types at the email gateway, such as .doc, .docm, and .rtf files from external sources, unless business-critical.
  6. Educate users. Reinforce that they should not open unexpected attachments, even if they appear to come from known senders, and should verify via alternative means.

It is crucial to note that these are not guaranteed protections against CVE-2026-35440 specifically; they represent best practices that reduce the overall attack surface.

How to Confirm You’re Protected

After deploying the May 2026 updates, users and administrators can verify the patch status:

  • For Microsoft 365 Apps: In any Office app, go to File > Account > Update Options > Update Now. After updating, the version number should reflect the latest build. Microsoft publishes build numbers on its “Update history for Microsoft 365 Apps” page.
  • For volume-licensed versions (Office LTSC 2024, 2021, 2019): These updates are typically delivered as .msi packages. Check the installed patches in Programs and Features or via PowerShell: Get-HotFix -Id KBxxxxxx (the specific KB number will be listed in the CVE article).
  • For Windows Update: If Office is updated through Windows Update, check the update history by going to Settings > Windows Update > Update history, and look for Office-related updates.

Organizations should also monitor the Microsoft Security Update Guide for updates to the CVE-2026-35440 advisory, as Microsoft may add FAQs, severity scores, and exploitation status over time.

The Bigger Picture: Office as an Attack Surface

CVE-2026-35440 highlights the persistent risk posed by document-based attacks. Email remains the primary infection vector for ransomware and spyware, with Office documents often serving as the initial delivery mechanism. The combination of a prolific installed base and complex file parsing creates a fertile environment for vulnerability discovery. While Microsoft has made strides in moving toward more secure defaults and cloud-based protections, the sheer volume of legacy documents ensures that older parsers remain active.

For users of Microsoft 365, the cloud-connected scenario offers additional protection through cloud-based analysis and advanced threat detection, but for those with on-premises or standalone Office installations, local patching is the sole line of defense. The May 2026 Patch Tuesday serves as a timely reminder to audit Office inventory and ensure that all installations—including those on virtual desktops and rarely used laptops—are up to date.

What to Expect in the Coming Days

In the days following Patch Tuesday, security researchers will likely begin diffing the updated binaries to identify the root cause of CVE-2026-35440. This can lead to public proof-of-concept exploits, especially if the vulnerability is relatively easy to trigger. Microsoft’s own Exploitability Index, when released, will provide a forecast on the likelihood of exploit code emerging. A rating of “1” means exploitation is expected, “2” indicates inconsistent exploitability, and “3” implies functioning exploit code is unlikely.

We may also see additional guidance from cybersecurity agencies like CISA, which frequently includes critical Microsoft vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog if active exploitation is detected. So far, there is no indication of in-the-wild exploitation, but that does not reduce the urgency of patching.

Conclusion

CVE-2026-35440 serves as a fresh alert for Microsoft Word users everywhere. While the limited details in the initial advisory may frustrate those seeking deep technical analysis, the message is clear: an information disclosure vulnerability has been identified and fixed. The May 2026 Patch Tuesday updates include the necessary patches, and applying them is the surest way to eliminate the risk. As the security community learns more about the flaw, we will update with additional analysis. Until then, patch promptly, reinforce user awareness, and keep an eye on the Security Update Guide for evolving details.