Microsoft Patches Critical Zero-Click Outlook/Word RCE Tracked as CVE-2026-40361

By Ash K May 13, 2026

Microsoft has patched a Word vulnerability that defenders should treat like an Outlook problem.

CVE-2026-40361 is officially listed as a Critical Microsoft Word remote code execution flaw, but researcher analysis says the bug lives in a DLL heavily used by both Word and Outlook. That turns the issue from a document-handling bug into something far more dangerous for enterprise mailboxes: a possible zero-click RCE path through email preview.

What Microsoft Patched

Microsoft addressed CVE-2026-40361 as part of its May 2026 Patch Tuesday release on May 12, 2026. The vulnerability is classified as a Microsoft Word remote code execution issue with a CVSS severity score of 8.4 and a Critical rating.

The flaw was credited to Haifei Li, the developer of the Expmon zero-day detection system. SecurityWeek reported that Li described CVE-2026-40361 as a zero-click use-after-free issue that can be triggered against Outlook users, despite the vulnerability being categorized under Microsoft Word.

The important operational detail is the attack surface. According to Li’s public analysis, the vulnerable component is a DLL used by both Word and Outlook. In an Outlook and Exchange Server environment, that can make email rendering the trigger point — not a traditional document-open workflow.

Why Zero-Click Changes the Risk

Most Office exploitation still depends on some user action: opening a file, enabling content, clicking a link, or interacting with a lure. CVE-2026-40361 is more concerning because the reported trigger path sits inside email preview and rendering.

That means a victim may not need to open an attachment or click anything. The researcher warned that the bug can be triggered when a user reads or previews a malicious email. For security teams, that is a very different exposure model because awareness training and “do not click” controls do not meaningfully stop a rendering bug.

Microsoft’s own May 2026 security update cycle included multiple critical Word RCE flaws. Zero Day Initiative listed CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, and CVE-2026-40367 as Critical Microsoft Word remote code execution vulnerabilities, all with CVSS scores of 8.4 and no known exploitation at publication time.

Patch Tuesday Context

Microsoft’s May 2026 Patch Tuesday release fixed more than 100 vulnerabilities across its product stack. BleepingComputer counted 120 flaws, including 17 Critical vulnerabilities, while Zero Day Initiative’s broader review listed 137 Microsoft CVEs for the month.

The exact count varies depending on whether previously released Microsoft fixes, Edge/Chromium issues, and other product advisories are included. What does not change is the priority: CVE-2026-40361 is one of the Office bugs defenders should move quickly on because it combines remote code execution with an email-based delivery path.

Microsoft reportedly marked CVE-2026-40361 as “exploitation more likely,” although there is no confirmed public exploitation at the time of reporting. That label matters because Microsoft uses it to signal that exploitation is plausible based on the vulnerability’s characteristics, exploitability, and attack surface.

Why This Stands Out

The uncomfortable part is not simply that Word had another RCE bug. The uncomfortable part is that Outlook may become the delivery engine.

Email remains one of the few channels that reliably reaches executives, finance teams, legal departments, sales teams, and administrators. A zero-click Outlook path compresses the kill chain. The attacker does not need to win a persuasion contest; they only need the message to be processed in the right vulnerable context.

That is why this class of bug is so valuable. It travels through normal business infrastructure, bypasses perimeter assumptions, and lands directly in a user workflow that cannot be disabled without disrupting operations.

Defensive Priorities

Organizations should prioritize Microsoft Office updates across endpoints that use Outlook, Word, Microsoft 365 Apps, Office LTSC, and supported standalone Office builds. High-risk groups should move first: executives, finance, legal, IT administrators, help desks, security teams, and users with access to sensitive mailboxes or privileged workflows.

Security teams should also validate update coverage rather than assuming Microsoft 365 Apps have already patched everywhere. Remote laptops, paused update channels, disconnected systems, VDI images, and gold images can leave older Office builds exposed long after Patch Tuesday.

Where patching cannot be completed immediately, rendering email as plain text may reduce exposure for some Outlook users, but that should be treated as a temporary mitigation. The more reliable fix is to deploy the Microsoft security updates that address the vulnerable Office components.

Bigger Picture

CVE-2026-40361 fits a familiar pattern: mature desktop applications remain high-value targets because they parse complex, attacker-controlled content on behalf of users. Word and Outlook are especially sensitive because they sit at the intersection of documents, email, identity, and enterprise trust.

The lesson is not that email is broken. The lesson is that preview and rendering engines deserve the same urgency defenders already give to browser zero-click paths. Anything that automatically parses untrusted content at enterprise scale can become an intrusion gateway.

NeuraCyb's Assessment

CVE-2026-40361 deserves fast treatment because it attacks the gap between how vendors classify bugs and how attackers use them. Microsoft may list it under Word, but defenders should hunt for exposure through Outlook. In practical terms, this is an email-rendering risk until proven otherwise — and the patch window should be measured in urgency, not convenience.

References

Ash K

Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.