IT-Connect » Tech News » Outlook CVE-2026-40361: Zero-Click Flaw Puts Businesses at Risk

Laptop on a desk with an Outlook logo and a red 'Faille Zero-Click' banner, signaling a zero-click email vulnerability in cybersecurity.
Tech News

Outlook CVE-2026-40361: Zero-Click Flaw Puts Businesses at Risk

Florian Burnel 0 Comments

On the occasion of its May 2026 Patch Tuesday, Microsoft fixed a major zero-click flaw affecting Outlook: CVE-2026-40361. This vulnerability should be taken seriously because it allows code execution on Windows with no user interaction whatsoever.

A silent threat at the heart of Outlook

Among the hundred vulnerabilities patched by Microsoft during its latest Patch Tuesday, 20 were critical security flaws. One of them is CVE-2026-40361 in Outlook.

Discovered and reported by Haifei Li, this weakness in the Outlook email client can lead to remote code execution on Windows. The issue is located in a DLL (wwlib.dll) heavily used by Outlook, but also by Word. Here are the key characteristics of this flaw:

  • Flaw type: this is a zero-click "use-after-free" bug.
  • Attack vector: exploitation leads to remote code execution directly on the user's workstation.
  • Trigger: this is where it becomes especially dangerous, since simply receiving or previewing the message is enough. The attack is invisible and immediate.

On X, security researcher Haifei Li warns: "You absolutely need to patch this as soon as possible." - "The danger of these 0-click Outlook bugs is that they trigger as soon as the victim reads or previews the email — no click on links or attachments is required.", he also writes.

CVE-2026-40361 affects the following Microsoft Office versions:

  • Office 2016,
  • Office 2019,
  • Office 2021 LTSC,
  • Office 2024 LTSC,
  • Microsoft 365 Apps for Enterprise.

The latest security updates for Microsoft Office patch this vulnerability. Although no longer supported since October 2025, Microsoft Office 2016 still receives a fix for Word.

What is surprising, though, is that Microsoft associates the flaw with Word, while the researcher links it to Outlook. "I demonstrated this bug to the MSRC by showing that it occurs in a real-world, operational Outlook + Exchange Server environment. I would bet that, since the bug resides in wwlib.dll — a shared DLL widely used by both Outlook and Word — it probably affects both Outlook (via an email) and Word (via a document file).", the researcher explains.

A reference to BadWinmail, an older vulnerability

Haifei Li compares CVE-2026-40361 to another Outlook vulnerability he discovered more than a decade ago: the BadWinmail flaw (CVE-2015-6172). At the time, that vulnerability caused serious damage... Let's hope CVE-2026-40361 is less destructive.

As of today, it should be noted that it is not being exploited. However, that could change quickly. Applying the latest security updates is recommended. It is surely no coincidence that Microsoft assigned this vulnerability the label "exploitation more likely."

Beyond the patch, defensive options are limited. The researcher explains: "Since the bugs reside in Outlook's email rendering engine, they are difficult to mitigate or block (although configuring Outlook specifically to render emails in plain text only is a valid mitigation)."

author avatar
Florian Burnel Co-founder of IT-Connect
Systems and network engineer, co-founder of IT-Connect and Microsoft MVP "Cloud and Datacenter Management". I'd like to share my experience and discoveries through my articles. I'm a generalist with a particular interest in Microsoft solutions and scripting. Enjoy your reading.
See Full Bio
social network icon social network icon social network icon
Share on X Share on Facebook Share on Linkedin Send by e-mail

You May Also Like

ProtonMail logo with 'Post-quantum Encryption' on a purple tech background.

Proton Mail Rolls Out Post-Quantum Encryption: How to Enable It

Florian Burnel 0
Proxmox Backup Server 4.2 banner with the Proxmox logo on the left and a server rack illustration in orange hues on the right.

Proxmox Backup Server 4.2 Released: Key New Features Explained

Florian Burnel 0
Claude Design branding: orange starburst logo with 'Claude Design' text above a laptop showing design UI on a brown gradient background.

Claude Design: Anthropic’s New AI Tool for Visuals and Prototypes

Florian Burnel 0

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.