Microsoft Patches Critical Zero-Click Outlook Vulnerability Threatening Enterprises
Microsoft patched CVE-2026-40361, a critical zero-click remote code execution vulnerability in Outlook that can be triggered simply by previewing or reading an email.
Microsoft's May 2026 Patch Tuesday addressed 137 vulnerabilities, including a critical zero-click remote code execution flaw in Outlook tracked as CVE-2026-40361. The vulnerability resides in a DLL shared by Word and Outlook, and it can be exploited without any user interaction beyond previewing or reading an email. Researcher Haifei Li, who discovered the bug, warned that it poses a serious threat to enterprises, as it bypasses traditional security measures like firewalls and delivers the attack directly to the inbox.
The vulnerability is a use-after-free bug in the email rendering engine. When an email is previewed or opened, the flaw allows an attacker to execute arbitrary code remotely. Li compared CVE-2026-40361 to the 2015 'BadWinmail' vulnerability (CVE-2015-6172), which he also discovered and dubbed an 'enterprise killer.' The new flaw shares the same attack vector and potential impact, meaning that a CEO or CFO could be compromised simply by receiving an email.
Microsoft has rated the exploitation likelihood as 'more likely,' indicating that the company believes a working exploit could be developed. Li has created a proof-of-concept (PoC) but not a full exploit; however, he cautioned that threat actors are creative and should not be underestimated. The vulnerability affects Outlook and Exchange Server environments, making it a significant concern for organizations that rely on Microsoft's email platform.
As a mitigation, Microsoft recommends setting Outlook to render emails in plain text format, which can prevent the exploit from triggering. However, this may impact usability. The primary recommendation is to apply the patch as soon as possible. The vulnerability is part of a broader set of fixes that also includes patches for other products.
The discovery of CVE-2026-40361 highlights the ongoing risk of zero-click vulnerabilities in email clients. Such flaws are particularly dangerous because they require no user action, making them ideal for targeted attacks against high-value individuals. Organizations should prioritize patching this vulnerability to reduce the risk of compromise.