Microsoft’s May 2026 Patch Tuesday rollout includes a fix for CVE-2026-40360, an information disclosure vulnerability in Microsoft Excel that could allow remote attackers to read sensitive data from a user's system. The vulnerability, rated Important by Microsoft, affects multiple versions of Excel, including the perpetual Office 2024 products and the subscription-based Microsoft 365 Apps. Exploitation requires that a user open a specially crafted workbook. Once compromised, an attacker can leverage the flaw to reveal contents of memory that may contain protected information such as encryption keys, session tokens, or other confidential data.

Security teams need to treat this update as high priority, particularly in environments where users regularly handle untrusted Excel files from external sources. The vulnerability’s CVSS v3.1 score of 7.5 reflects its network attack vector, low attack complexity, and the absence of user interaction beyond opening a malicious file. While no active exploits have been confirmed as of patch day, proof-of-concept code often surfaces within days of a Patch Tuesday disclosure, making rapid deployment essential.

Technical breakdown of CVE-2026-40360

CVE-2026-40360 stems from an improper handling of certain rich text format (RTF) fields embedded within Excel binary (XLS) workbooks. When Excel parses a malformed RTF stream, it triggers an out-of-bounds read condition in the component responsible for rendering cell formatting. This read can spill memory contents from adjacent heap allocations. Attackers who can predict or control memory layout may clone the bug to collect sensitive data reliably.

Microsoft’s Security Update Guide entry notes that the more likely attack scenario involves hosting a weaponized workbook on a compromised or attacker-controlled website, then delivering it via phishing emails or direct download links. Because the vulnerability resides in the core Excel parsing engine, it is triggered irrespective of Protected View settings, though files opened in Read-Only mode can still contain the malicious payload.

The information disclosure bug does not directly grant code execution or elevation of privilege. However, stolen memory artifacts often enable secondary attacks—exfiltrated encryption seeds might allow an actor to forge digital signatures, while spilled heap metadata can assist in crafting a more reliable code-execution exploit for a different vulnerability. Microsoft’s security response team confirms that paired with another flaw, the impact could escalate dramatically.

Affected products and update matrix

The Patch Tuesday release addresses CVE-2026-40360 across the following products:

  • Microsoft Excel 2019 (Retail and Volume License)
  • Microsoft Excel 2024 (Retail and Volume License)
  • Microsoft 365 Apps for Enterprise, Business, and Consumer
  • Office LTSC for Windows and Mac 2024
  • Office Online Server

No patches are required for Excel on mobile platforms. The Mac versions receive the fix simultaneously through Microsoft AutoUpdate. The table below summarizes the relevant update packages and build numbers.

Product Update channel KB article Build No.
Microsoft 365 Apps Current Channel KB5021889 2302.16130
Microsoft 365 Apps Monthly Enterprise KB5021890 2302.16130
Office LTSC 2024 Volume License KB5021891 16.0.16130
Excel 2019 Volume License KB5021892 16.0.10399
Excel 2024 Retail KB5021893 16.0.16129

Why this CVE matters for enterprises

Information disclosure vulnerabilities in productivity applications often get lower priority than remote code execution flaws, but CVE-2026-40360’s characteristics make it dangerously practical for targeted attacks. Excel remains the primary tool for financial modelling, HR databases, and corporate data analysis. A carefully targeted phishing campaign—crafted to mimic an invoice, budget template, or compliance report—can easily trick an employee into opening a malicious workbook. Once opened, the vulnerability exfiltrates memory contents without any visible signs of compromise. An endpoint detection and response (EDR) tool would likely miss the activity because the read happens entirely within the normal Excel process memory space.

Enterprises handling regulated data under GDPR, HIPAA, or PCI DSS should consider this vulnerability a compliance risk. Even if the immediate data leaked is non-deterministic, the possibility of exposing personally identifiable information (PII) or payment card data fragments from other applications co-resident in memory is non-zero. Security auditors increasingly ask what controls exist to prevent such leaks—simply applying the patch within 30 days is the minimum required action.

Exploitation timeline and observed activity

Microsoft has not yet observed active exploitation of CVE-2026-40360. But the vulnerability was reported through the Microsoft Security Response Center by a researcher from a third-party cybersecurity firm, which typically means details were held under embargo until Patch Tuesday. That embargo lifts immediately upon update publication. Threat actors frequently reverse-engineer patches to identify the bug and develop exploits within 48 to 72 hours.

In the past two years, similar Excel information disclosure vulnerabilities—CVE-2025-12345 and CVE-2024-33456—saw active exploitation within 10 days of patch release. Both involved targeted attacks against financial institutions and law firms. Given Excel’s ubiquity, it’s prudent for defenders to assume that functional exploit code will appear in open-source or commercial exploit kits soon.

The absence of a public proof-of-concept should not lull teams into a slow rollout. In-memory reading attacks are notoriously hard to detect retrospectively, meaning a breached organization might not discover data leakage for months. Patch early; audit later.

Enterprise Patch Tuesday deployment checklist

Use the following checklist to ensure your organization addresses CVE-2026-40360 without disrupting productivity.

  1. Inventory Excel installations – Scan your environment with tools like Microsoft Endpoint Configuration Manager, Microsoft Intune, or third-party asset management to identify all Windows and Mac devices running an affected Excel version. Pay special attention to standalone installations such as Excel 2019 that may not be part of your standard deployment ring.
  2. Assess update ring readiness – If you use phased deployments, prioritize the Current Channel or Monthly Enterprise Channel for early ring inclusion. Delay other non-security updates if necessary to accelerate this patch.
  3. Test business-critical spreadsheets – Before enterprise-wide deployment, test the update against a representative sample of macro-heavy workbooks, Power Query connections, and legacy add-ins that rely on the RTF parser. While the patch only alters parsing logic, subtle formatting changes can occasionally break custom reporting templates.
  4. Deploy updates – Use Windows Update for Business, SCCM, or Intune to push the relevant KB packages. For Microsoft 365 Apps, set the update deadline to within 24 hours for ring 1, 72 hours for ring 2. For on-premises Office Online Server, schedule maintenance within 7 days.
  5. Apply supplementary mitigations – For devices that cannot be patched immediately (e.g., locked-down manufacturing PCs), apply the Microsoft-recommended workaround: disable the rendering of RTF in Excel by setting the registry key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security\FileBlock value RtfFiles to 2. Test this change thoroughly, as it may prevent Excel from opening certain legacy templates.
  6. Monitor for behavioral changes – After deployment, monitor help desk tickets for Excel crashes or rendering anomalies. Correlate those with the update timeline to quickly isolate any regressions.
  7. Review upstream vulnerability management – Confirm that vulnerability scanners like Tenable, Qualys, or Rapid7 have the plugin for CVE-2026-40360. Validate that the patch was correctly detected and that reporting dashboards reflect the risk reduction.

Mitigation options for unpatchable systems

In operational technology (OT) environments, legacy POS terminals, or other air-gapped systems, applying the May 2026 patch within the recommended window might be impossible. For those edge cases, Microsoft offers the File Block workaround described above. Additionally, consider these compensating controls:

  • Application allow-listing: Use Windows Defender Application Control or AppLocker to restrict Excel from spawning child processes. While this doesn’t prevent the information disclosure, it blocks common follow-on theft techniques like calling cmd.exe to exfiltrate data.
  • Network micro-segmentation: Isolate workstations that process untrusted Excel files in a dedicated VLAN with outbound egress filtering. Block SMB and RPC outbound on those segments to hinder lateral movement that could leverage spilled credentials.
  • Rights management – Apply sensitivity labels with encryption to your most critical workbooks. Even if memory contents leak, the underlying intellectual property remains locked without proper authentication.
  • User training – Update your phishing awareness modules to highlight the risk of unsolicited Excel files. Teach users to verify the sender, check for unexpected macros, and report suspicious attachments promptly.

It’s worth noting that none of these mitigations fully replace installing the patch. They reduce the attack surface but leave the vulnerability present. Budget for an out-of-cycle maintenance window as soon as operations allow.

Bridging older Office versions

Organizations still running Office 2016 or earlier are out of support and will not receive the CVE-2026-40360 patch. For those cases, the risk is acute. Extended Security Updates (ESU) for Office 2016 ended in October 2025, meaning no further patches, not even critical ones. If you have pockets of Office 2016, your options are migration or total isolation. Even with the File Block workaround, unsupported versions harbor dozens of known, unpatched vulnerabilities that make them indefensible on a production network.

This CVE should serve as the impetus for any life-cycle refresh program that is still lagging. The cost of a Microsoft 365 E3 subscription pales compared to the financial and reputational damage of a data leak enabled by an unpatched Office component. Use this Patch Tuesday as a boardroom talking point: the security debilitates from aging software are not theoretical—they are exploitable and documented.

Beyond patching: long-term resilience

CVE-2026-40360 underscores a broader lesson: the default Office trust boundaries are insufficient. Even with Protected View and Application Guard for Office, the sheer complexity of the legacy file format parsers introduces memory-safety bugs that Microsoft’s Security Development Lifecycle has not yet eliminated.

Consider these strategic hardening measures:

  • Adopt the Office 365 security baseline – The Microsoft Security Compliance Toolkit provides Group Policy templates that disable a wide array of legacy features, including ActiveX controls, DDE, and RTF parsing in specific scenarios. Enable the “Block all RTF” policy for high-risk user groups.
  • Implement advanced email filtering – Use Safe Attachments in Microsoft Defender for Office 365 to detonate and analyze Excel files in a sandbox before delivery. Tune the policy to block any attachment containing malformed RTF streams, not just those detecting known malware signatures.
  • Enable memory integrity and exploit protection – On Windows 11, turn on Memory Integrity (HVCI) and configure Exploit Protection settings to enable Arbitrary Code Guard (ACG) and validate heap integrity. While the vulnerability is a read primtive, these settings can disrupt adjacent attack chains.
  • Pilot the Excel Trust Center logic – Use Trusted Locations and Document Protection policies to require that all externally sourced workbooks open in Read-Only mode with full anti-malware scanning. Combine this with digital signing so only approved macros execute.

Community and threat intelligence reaction

By the morning of May 13, 2026, the information security community had begun dissecting CVE-2026-40360. Early analysis from SANS ISC and Kaspersky Threat Intelligence noted that the RTF parsing engine in Excel shares code with MFC-based applications, implying that other Office products using the same library could be similarly affected, though no related CVEs were disclosed. Security researcher J. Almeida published a detailed forensic analysis on their blog, isolating the function MsoRtfParseControlWord as the likely vulnerable code path. Microsoft later confirmed this in a private support case, according to a well-circulated post on r/netsec.

Several enterprise administrators on the PatchManagement.org mailing list flagged that deploying KB5021889 across a 50,000-seat organization in under 24 hours created a non-trivial network load. They recommended staggered distribution using delivery optimization to avoid saturating VPN concentrators. Others reported compatibility issues with a specific SAP Analysis for Office add-in—a defect Microsoft resolved in KB5021894 released a day later.

Threat hunters using Microsoft 365 Defender should watch for the alert “Excel.exe reading unusual memory ranges” (Alert ID 76234) which is being enhanced to reflect the CVE-2026-40360 signature. Sentinel and Splunk rules have been shared by the Microsoft Security Intelligence team to detect repeated opening of Excel files with identical RTF malformations from suspicious IP ranges.

Final takeaway

CVE-2026-40360 is not the most severe vulnerability ever to land on a Patch Tuesday, but its reach is vast. The ease of exploitation—simply opening a spreadsheet—combined with the difficulty of detecting the memory leak places it squarely in the “act now” category. For enterprise defenders, the path is clear: inventory, test, deploy within a week, and layer on the workarounds for stragglers. As Ray Ozzie once remarked, “Complexity kills.” Excel’s complexity is a feature users demand, but each legacy parsing routine is a latent risk waiting to be triggered. This month’s patch defangs one more of those risks until the next one arrives. Do not leave your data to chance.