Security Intelligence
Loading table of contents...
At a glance: Microsoft’s May 12, 2026 Patch Tuesday updates address a Microsoft Word remote code execution vulnerability, CVE-2026-40361, that can be triggered through Outlook when rendering a malicious email. The flaw allows code execution on the affected endpoint without user interaction, creating risk of data access, credential theft, and post-compromise activity under the user’s privileges. Microsoft Office updates remediate the vulnerability, and systems without the updated Office components remain exposed even if Windows is fully patched.
Threat summary
On May 12, Microsoft released its May Patch Tuesday security updates, addressing vulnerabilities across Windows, Microsoft Office, and other products. At the time of release, Microsoft reported no vulnerabilities in this update cycle as actively exploited.
Among the issues fixed was a critical Microsoft Word remote code execution vulnerability, tracked as CVE-2026-40361. It was discovered by Haifei Li, a security researcher known for identifying the zero-click Outlook vulnerability referred to as “BadWinmail” more than a decade ago.
Li stated that the vulnerability resides in wwlib.dll, a shared dynamic link library used by both Microsoft Outlook and Word. Based on his testing, he assessed that the flaw can be triggered through Outlook email rendering as well as by processing a crafted Word document.
He described the issue as a genuine zero-click remote code execution vulnerability affecting Outlook, demonstrated in a live Outlook client receiving email through Exchange Server.
The flaw allows remote code execution when Outlook renders a specially crafted email, including through the Preview Pane, as part of normal message processing. Outlook relies on the affected library to render email content, which creates an attack path that activates automatically when messages are processed. Because exploit delivery occurs through standard email handling, the attack does not rely on user interaction such as opening attachments or clicking links.
Microsoft assigned CVE-2026-40361 a CVSS score of 8.4 and critical severity rating marking exploitation as “more likely.”
Analysis
Normally, malicious emails rely on a user clicking a link or opening an attachment. With this flaw, a malicious email deliberately designed to exploit Outlook can trigger an attack as soon as it is rendered. When the email arrives, Outlook automatically processes it for display and, on an unpatched system, this normal step can result in malicious code being executed without any user action.
Successful exploitation could lead to full compromise of the affected Outlook endpoint under the user’s privileges. This could allow access to sensitive data available to that user, theft of stored credentials, installation of additional malicious tools, and support post-compromise actions elsewhere in the environment.
Microsoft Office security updates released on May 12 remediate this vulnerability. Windows operating system updates alone do not fully address the issue, and systems with updated Windows but unpatched Office installations remain exposed. Office updates are effective even if Windows patching is pending.
Where Office patch deployment is temporarily delayed, configuring Outlook to render email in plain-text format may reduce exposure by limiting how email content is processed. This approach does not remove the underlying vulnerability but reduces the attack surface while patches are deployed.
During rollout, organizations commonly prioritize patch coverage for high-risk user groups, such as executives, privileged users, and staff with access to sensitive/critical systems, where compromise of an Outlook endpoint would have greater operational and business impact.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
