MICROSOFT has patched CVE-2026-40361, a critical zero-click vulnerability affecting Outlook that can lead to remote code execution. Described by Microsoft as a remote code execution flaw affecting Word, the issue is a zero-click use-after-free bug that could impact Outlook users in an Exchange Server environment.
The vulnerability is linked to a DLL used heavily by both Word and Outlook, and has been described by the researcher Haifei Li as having an attack vector capable of bypassing enterprise firewalls by delivering directly to the inbox. Li warned that victims can be compromised simply by reading or previewing an email, without any clicking of links or attachments.
Microsoft has given the flaw an exploitation more likely rating, and Li noted that while he developed only a PoC rather than a working exploit, threat actors should not be underestimated, given the similarities to the BadWinmail vulnerability from more than a decade ago.