One of the 137 vulnerabilities patched by Microsoft with its Patch Tuesday updates is a critical Outlook flaw that could pose a serious threat to enterprises.
The Outlook vulnerability is tracked as CVE-2026-40361 and it has been described by Microsoft as a remote code execution vulnerability affecting Word.
Haifei Li, developer of the zero-day detection system Expmon, has been credited by the tech giant for reporting the vulnerability.
In a post on X, Li explained that the vulnerability affects a DLL used heavily by both Word and Outlook, and he demonstrated its potential impact in an Outlook and Exchange Server environment.
According to the researcher, CVE-2026-40361 is a zero-click use-after-free bug that can be exploited for remote code execution against Outlook users.
“You definitely want to patch this sooner rather than later,” Li warned, adding, “The danger of such 0-click bugs in Outlook is that they are triggered as soon as the victim reads or previews the email — no clicking of links or attachments is required.”
“Since the bugs reside in Outlook’s email rendering engine, it is difficult to mitigate or block (though specifically setting Outlook to render emails only in plain text format is a valid mitigation),” the researcher said.
Li compared CVE-2026-40361 to an Outlook vulnerability he discovered more than a decade ago. That flaw, tracked as CVE-2015-6172 and named BadWinmail, was dubbed an “enterprise killer” at the time by the researcher, and the new flaw has the same attack vector and the same potential impact.
“Essentially, anyone could compromise a CEO or CFO just by sending an email,” Li explained. “The threat perfectly bypasses enterprise firewalls and is delivered directly to the inbox.”
Microsoft has assigned the vulnerability an ‘exploitation more likely’ rating.
On the other hand, Li admitted that he developed only a PoC for CVE-2026-40361, rather than a working exploit that achieves code execution. He noted that while developing a working exploit would not be easy, the creativity of threat actors should not be underestimated.
Related: Adobe Patches 52 Vulnerabilities in 10 Products
Related: FBI Confirms Kash Patel Email Hack as US Offers $10M Reward for Hackers
Related: Flickr Security Incident Tied to Third-Party Email System
