✅ Report Title: Microsoft Office Excel Remote Code Execution Vulnerability: CVE-2026-40362
✅ Executive Summary:
- This is an analysis report on a Heap-based Buffer Overflow vulnerability discovered in the PivotTable record loader of Microsoft Office Excel.
📌 Overview
- This vulnerability occurs when Excel loads PivotTable records from a manipulated workbook handler IRLOADSXVIEW::This is a Remote Code Execution vulnerability caused by HrLoadSXDI14 not validating the number of data items.
- Simply opening the file triggers heap memory corruption, which can lead to arbitrary code execution when combined with information disclosure and further exploitation.
- This issue was patched in the regular update (Patch Tuesday) on May 12, 2026. It is strongly recommended for users using versions below this to update immediately.
📌 CVE-2026-40362 Details
- CVE Number: CVE-2026-40362
- Disclosure or Patch Date: 2026-05-12
- Product: Microsoft Office Excel
- Vendor: Microsoft
- Confirmed Affected Version:
- Microsoft 365 Apps for Enterprise (32·64-bit) < 2026-05 Security Update (by channel; Current Channel 16.0.19929.20164)
- Microsoft Office 2019 (32·64-bit) < 2026-05 Security Update (by channel)
- Microsoft Office LTSC 2021 (32·64-bit) < Security Updates by Channel until May 2026
- Microsoft Office LTSC 2024 (32·64-bit) < Security Updates by Channel until May 2026
- Microsoft Excel 2016 (32·64-bit, MSI) < 2026-05 Security Update (KB5002865)
- Microsoft Office LTSC for Mac 2021 / 2024 < 16.109 (build 26051019)
- Office Online Server < 16.0.10417.20128
- Patched Version:
- Microsoft 365 Apps for Enterprise (32·64-bit) ≥ 2026-05 Security Update (by channel; Current Channel 16.0.19929.20164)
- Microsoft Office 2019 (32·64-bit) ≥ 2026-05 Security Update (by channel)
- Microsoft Office LTSC 2021 (32·64-bit) ≥ 2026-05 Security Update (by channel)
- Microsoft Office LTSC 2024 (32·64-bit) ≥ 2026-05 Security Update (by channel)
- Microsoft Excel 2016 (32·64-bit, MSI) ≥ 2026-05 Security Update (KB5002865)
- Microsoft Office LTSC for Mac 2021 / 2024 ≥ 16.109 (build 26051019)
- Office Online Server ≥ 16.0.10417.20128
- Reporter(Advisor):
- Jeongmin Choi with S2W
- Haein Lee with KAIST Hacking Lab
📌 What Is the Root Cause of the Vulnerability?
- When the count value of the SXDI data item array is 0 and the SXDI14 record is processed, the IRLOADSXVIEW::HrLoadSXDI14 function calculates the address without verification, allowing a threat actor to write controlled values before the start of the array buffer. This leads to heap memory corruption and can potentially result in Remote Code Execution (RCE).
✅ Recommended Threat Detection and Mitigation Actions:
- If using a vulnerable version of Microsoft Office Excel, it is recommended to update to the latest version.
- If updating is not possible, it is recommended to follow the mitigations listed below.
- Refrain from viewing and executing spreadsheet files from untrusted sources.
👉 Read the full report: https://bit.ly/4vMHNbU
🧑💻 Author: S2W TALON
*The full report is available upon request or with a subscription to the S2W platform.