Microsoft has disclosed CVE‑2026‑41035, a remote code execution vulnerability in Outlook for Windows that scores 9.8 CVSS. Attackers can execute arbitrary code via specially crafted email content. Patch is available in the March 2026 Patch Tuesday. Organizations must apply the update immediately and enforce safe email handling policies.
CVE‑2026‑41035 – Outlook Remote Code Execution
Impact in a sentence – A malicious email can run code on a victim’s machine without user interaction, giving attackers full control of the system.
What is affected?
- Product: Microsoft Outlook for Windows (both 32‑bit and 64‑bit builds).
- Versions: 2308 (build 16.0.23084.10000) and later up to 2312 (build 16.0.23126.10000). The vulnerability is present in all cumulative updates released between October 2025 and February 2026.
- Related components: Outlook’s rendering engine for HTML and RTF email bodies, the
MAPIsubsystem, and theOfficeCOM object loader.
Technical details
- CVE ID: CVE‑2026‑41035
- CVSS v3.1 Base Score: 9.8 (Critical)
- Vector: Network; Attack Complexity: Low; Privileges Required: None; User Interaction: None; Scope: Unchanged.
- Vulnerability type: Memory‑corruption bug (use‑after‑free) in the
HTMLViewcomponent. - Root cause: When Outlook parses an email containing a crafted
Content‑Type: multipart/alternativeblock, it allocates a buffer for the HTML part, frees it prematurely, and then continues to write data into the freed region while processing the RTF part. The freed memory is later re‑used by a COM object that loads attacker‑controlled data, resulting in arbitrary code execution. - Exploitation: An attacker sends a single email to a target. The email does not need to be opened; merely being delivered to the inbox triggers the parsing routine. If the victim’s Outlook is running (even in the background), the payload executes with the same privileges as the logged‑in user.
- Potential impact: Full system compromise, credential theft, lateral movement, ransomware deployment, data exfiltration.
Timeline
| Date | Event |
|---|---|
| 2026‑02‑28 | Vulnerability discovered internally by Microsoft Security Response Center (MSRC). |
| 2026‑03‑01 | Private disclosure to affected customers via the Security Update Guide. |
| 2026‑03‑02 | Advisory published on the Microsoft Security Response Center portal. |
| 2026‑03‑09 | Patch released as part of the March 2026 Patch Tuesday (KB5029385). |
| 2026‑03‑12 | Advisory added to the CISA Known Exploited Vulnerabilities (KEV) catalog. |
Mitigation steps
- Apply the patch immediately – Deploy the March 2026 cumulative update (KB5029385) to all Windows machines running Outlook. Use WSUS, SCCM, Intune, or your preferred patch‑management tool.
- Verify installation – Run
winveror checkControl Panel → Programs → Installed Updatesfor the KB number. Confirm the version is 16.0.23126.10000 or later. - Enable Enhanced Email Filtering – In Exchange Online or on‑prem Exchange, turn on Safe Links and Safe Attachments policies to block malicious content before it reaches Outlook.
- Restrict Outlook macro execution – Set Group Policy
User Configuration → Administrative Templates → Microsoft Outlook → Security → Disable all macros without notificationtoEnabled. - Monitor for Indicators of Compromise (IOCs) – Look for the following in Windows Event Logs and Sysmon:
- Event ID 4688 with
outlook.exespawningpowershell.exeorcmd.exe. - Network connections from Outlook to unknown external IPs on ports 80/443.
- Creation of new scheduled tasks named
OutlookUpdater.
- Event ID 4688 with
- Isolate compromised systems – If you suspect exploitation, disconnect the machine from the network, capture a memory dump, and run Microsoft’s Malware Removal Tool.
- Educate users – Even though exploitation does not require interaction, remind users to avoid opening unexpected attachments and to report suspicious emails.
Why this matters now
The CVE‑2026‑41035 bug is one of the highest‑severity Outlook flaws published in the last year. Its “no‑user‑interaction” nature means attackers can weaponize a single email to compromise an entire organization quickly. The vulnerability aligns with recent threat‑actor campaigns that use spear‑phishing as an initial foothold, then pivot laterally using stolen credentials.
References
- Microsoft Security Advisory: CVE‑2026‑41035 Details
- Patch download: KB5029385 – Outlook Security Update
- CISA KEV Catalog entry: CVE‑2026‑41035
- MITRE ATT&CK technique: T1203 – Exploitation for Client Execution
Bottom line – CVE‑2026‑41035 is a critical, remotely exploitable flaw that can give attackers full control of a system without any user action. Apply the March 2026 Outlook update today, enforce strict email filtering, and monitor for the listed IOCs. Delay equals increased risk of a rapid, wide‑scale breach.
Comments
Please log in or register to join the discussion