Resources
  • Research
  • Threat Intelligence Reports
Microsoft Office Excel Remote Code Execution Vulnerability: CVE-2026-40362
2026.07.09

✅ Report Title: Microsoft Office Excel Remote Code Execution Vulnerability: CVE-2026-40362



✅ Executive Summary:


- This is an analysis report on a Heap-based Buffer Overflow vulnerability discovered in the PivotTable record loader of Microsoft Office Excel.



📌 Overview


- This vulnerability occurs when Excel loads PivotTable records from a manipulated workbook handler IRLOADSXVIEW::This is a Remote Code Execution vulnerability caused by HrLoadSXDI14 not validating the number of data items.


- Simply opening the file triggers heap memory corruption, which can lead to arbitrary code execution when combined with information disclosure and further exploitation.


- This issue was patched in the regular update (Patch Tuesday) on May 12, 2026. It is strongly recommended for users using versions below this to update immediately.



📌 CVE-2026-40362 Details


- CVE Number: CVE-2026-40362


- Disclosure or Patch Date: 2026-05-12


- Product: Microsoft Office Excel


- Vendor: Microsoft


- Confirmed Affected Version:

  - Microsoft 365 Apps for Enterprise (32·64-bit) < 2026-05 Security Update (by channel; Current Channel 16.0.19929.20164)

  - Microsoft Office 2019 (32·64-bit) < 2026-05 Security Update (by channel)

  - Microsoft Office LTSC 2021 (32·64-bit) < Security Updates by Channel until May 2026

  - Microsoft Office LTSC 2024 (32·64-bit) < Security Updates by Channel until May 2026

  - Microsoft Excel 2016 (32·64-bit, MSI) < 2026-05 Security Update (KB5002865)

  - Microsoft Office LTSC for Mac 2021 / 2024 < 16.109 (build 26051019)

  - Office Online Server < 16.0.10417.20128


- Patched Version:

  - Microsoft 365 Apps for Enterprise (32·64-bit) ≥ 2026-05 Security Update (by channel; Current Channel 16.0.19929.20164)

  - Microsoft Office 2019 (32·64-bit) ≥ 2026-05 Security Update (by channel)

  - Microsoft Office LTSC 2021 (32·64-bit) ≥ 2026-05 Security Update (by channel)

  - Microsoft Office LTSC 2024 (32·64-bit) ≥ 2026-05 Security Update (by channel)

  - Microsoft Excel 2016 (32·64-bit, MSI) ≥ 2026-05 Security Update (KB5002865)

  - Microsoft Office LTSC for Mac 2021 / 2024 ≥ 16.109 (build 26051019)

  - Office Online Server ≥ 16.0.10417.20128


- Reporter(Advisor):

  - Jeongmin Choi with S2W

  - Haein Lee with KAIST Hacking Lab



📌 What Is the Root Cause of the Vulnerability?


- When the count value of the SXDI data item array is 0 and the SXDI14 record is processed, the IRLOADSXVIEW::HrLoadSXDI14 function calculates the address without verification, allowing a threat actor to write controlled values before the start of the array buffer. This leads to heap memory corruption and can potentially result in Remote Code Execution (RCE).



✅ Recommended Threat Detection and Mitigation Actions:


- If using a vulnerable version of Microsoft Office Excel, it is recommended to update to the latest version.


- If updating is not possible, it is recommended to follow the mitigations listed below.


- Refrain from viewing and executing spreadsheet files from untrusted sources.




👉 Read the full report: https://bit.ly/4vMHNbU


🧑‍💻 Author: S2W TALON


*The full report is available upon request or with a subscription to the S2W platform.


List