By Eduard Kovacs
Publication Date: 2026-05-13 10:33:00
One of the 137 vulnerabilities patched by Microsoft with its Patch Tuesday updates is a critical Outlook flaw that could pose a serious threat to enterprises.
The Outlook vulnerability is tracked as CVE-2026-40361 and it has been described by Microsoft as a remote code execution vulnerability affecting Word.
Haifei Li, developer of the zero-day detection system Expmon, has been credited by the tech giant for reporting the vulnerability.
In a post on X, Li explained that the vulnerability affects a DLL used heavily by both Word and Outlook, and he demonstrated its potential impact in an Outlook and Exchange Server environment.
According to the researcher, CVE-2026-40361 is a zero-click use-after-free bug that can be exploited for remote code execution against Outlook users.
“You definitely want to patch this sooner rather than later,” Li warned, adding, “The danger of such 0-click bugs in Outlook is that they are triggered as soon as the victim reads or…
