A remote code execution flaw (CVE‑2026‑45498) affects Microsoft Outlook 2016‑2021 and Outlook for Windows. With a CVSS score of 9.8, attackers can execute arbitrary code via a crafted email. Apply the March 2026 security update now and disable unsafe HTML rendering as a temporary mitigation.
Critical Remote Code Execution in Microsoft Outlook (CVE‑2026‑45498)
Impact:
- Remote code execution (RCE) on Windows machines running Outlook 2016, 2019, 2021, or the Outlook component of Microsoft 365.
- Attackers can gain full user privileges without user interaction beyond opening a malicious email.
- CVSS v3.1 base score: 9.8 (Critical).
Technical Details
CVE‑2026‑45498 resides in the HTML rendering engine used by Outlook to display email bodies. The flaw is a use‑after‑free bug triggered when the engine processes a specially crafted <script> tag containing malformed JavaScript objects. The steps are:
- Email Crafting – The attacker embeds a malicious HTML payload that references a freed object.
- Memory Corruption – Outlook frees the object during normal parsing, but the script later accesses it, corrupting the heap.
- Arbitrary Code Execution – The corrupted heap enables the attacker to overwrite a function pointer, redirecting execution to shellcode embedded in the email.
The vulnerability is exploitable remotely; the only requirement is that the target opens the malicious message. No additional user actions (e.g., clicking a link) are needed. The exploit works on both x86 and x64 builds of Outlook and bypasses existing mitigations such as Control Flow Guard (CFG) because the corrupted pointer lands within a trusted Outlook module.
Affected Products
| Product | Versions Affected |
|---|---|
| Microsoft Outlook (stand‑alone) | 2016, 2019, 2021 |
| Outlook for Microsoft 365 (Windows) | All current channel builds prior to 2026‑03‑01 |
| Outlook on Windows Server (Exchange) | 2016‑2021 with Outlook client installed |
Exploit Timeline
- 2026‑02‑12 – Private disclosure to Microsoft via the MSRC Vulnerability Coordination Program.
- 2026‑02‑20 – Microsoft issues an internal advisory and begins development of a patch.
- 2026‑02‑28 – Proof‑of‑concept (PoC) leaked on a public security forum, demonstrating remote exploitation.
- 2026‑03‑01 – Security update released via Windows Update and Microsoft Update Catalog.
Mitigation Steps
1. Apply the March 2026 Security Update Immediately
- For Windows 10/11 and Windows Server 2016‑2022, the patch is included in KB5029389. Install via Windows Update, WSUS, or Microsoft Endpoint Configuration Manager.
- For Microsoft 365 customers, the update rolls out automatically through the Office 365 Update Channel. Verify installation via File → Office Account → Update Options → View Updates.
2. Temporary Work‑around (If Patch Cannot Be Applied Immediately)
- Disable HTML rendering in Outlook:
File → Options → Trust Center → Trust Center Settings → Email Security → Read all standard mail in plain text. This blocks the vulnerable code path but reduces email usability. - Enable Enhanced Email Protection in Exchange Online Protection (EOP) to strip potentially dangerous HTML tags.
3. Verify Patch Deployment
- Run
Get-HotFix -Id KB5029389on affected machines. - Check the Outlook version string:
Outlook.exe /aboutshould show build 16.0.XXXXX.0 with a build date of Mar 2026 or later.
Broader Context
Outlook has been a frequent target for RCE bugs because its email rendering pipeline mixes legacy COM components with modern web technologies. This vulnerability follows a pattern seen in CVE‑2025‑36712 and CVE‑2024‑21568, where use‑after‑free errors in the HTML engine were exploited. Microsoft’s rapid patch cycle this year reflects increased pressure from nation‑state actors who have weaponized similar flaws in phishing campaigns.
What Organizations Should Do Next
- Audit all Windows endpoints for the vulnerable Outlook versions.
- Prioritize patching for high‑value accounts (executives, finance, IT admins).
- Monitor email gateways for the known malicious payload signature (SHA‑256:
3f9e2a...). - Educate users to report unexpected email formatting issues, which may indicate an attempted exploit.
- Review existing endpoint detection and response (EDR) rules for memory corruption alerts.
References
- Microsoft Security Update Guide entry: CVE‑2026‑45498
- Official KB article: KB5029389
- Outlook documentation on plain‑text email settings: Outlook Trust Center
- Analysis of the PoC leak: SecurityResearchBlog.com – Outlook RCE
Take action now. The window between the PoC leak and patch deployment is short. Deploy the March 2026 update, enforce the temporary plain‑text setting if needed, and verify compliance across your environment.
Comments
Please log in or register to join the discussion