Microsoft Patches Critical Zero-Click Outlook Vulnerability Threatening Enterprises

CVE-2026-40361 is similar to a vulnerability found a decade ago, BadWinmail, which at the time was dubbed an “enterprise killer”.

One of the 137 vulnerabilities patched by Microsoft with its Patch Tuesday updates is a critical Outlook flaw that could pose a serious threat to enterprises.

The Outlook vulnerability is tracked as CVE-2026-40361 and it has been described by Microsoft as a remote code execution vulnerability affecting Word.

Haifei Li, developer of the zero-day detection system Expmon, has been credited by the tech giant for reporting the vulnerability.

In a post on X, Li explained that the vulnerability affects a DLL used heavily by both Word and Outlook, and he demonstrated its potential impact in an Outlook and Exchange Server environment.

According to the researcher, CVE-2026-40361 is a zero-click use-after-free bug that can be exploited for remote code execution against Outlook users.

“You definitely want to patch this sooner rather ...