Microsoft patched CVE-2026-40361, a critical zero-click Outlook flaw that could enable remote code execution when a victim simply reads or previews an email. Researcher Haifei Li warned the bug could bypass enterprise defenses and compared its potential impact to the earlier BadWinmail issue, dubbing it a serious threat to executives and enterprise environments. #CVE-2026-40361 #Outlook #Word #ExchangeServer #BadWinmail #HaifeiLi
Keypoints
- Microsoft fixed CVE-2026-40361 in its Patch Tuesday updates.
- The flaw is a zero-click use-after-free bug in Outlook’s email rendering path.
- Simply previewing or reading a malicious email can trigger exploitation.
- Haifei Li reported the issue and demonstrated its impact in Outlook and Exchange Server environments.
- Microsoft rated the vulnerability as “exploitation more likely” and urged rapid patching.