Critical Remote Code Execution in Microsoft Outlook (CVE‑2026‑6479) – Immediate Action Required | LavX News

A newly disclosed CVE‑2026‑6479 vulnerability in Microsoft Outlook allows unauthenticated attackers to execute arbitrary code via crafted email messages. The flaw scores 9.8 CVSS, affects Outlook 2016‑2021 and Outlook for Windows, and requires immediate patching. Microsoft has released security updates; administrators should deploy them today and enforce strict email filtering.

Impact Summary

A remote code execution (RCE) flaw has been found in Microsoft Outlook. The vulnerability, identified as CVE‑2026‑6479, lets an attacker send a malicious email that, when previewed, runs arbitrary code on the victim’s machine. The CVSS v3.1 base score is 9.8 (Critical). All supported Windows versions of Outlook 2016, 2019, 2021, and the Outlook component of Microsoft 365 are affected.

If exploited, the attacker can gain full user‑level privileges, install malware, and move laterally within the network. The attack requires only the user to open the message preview pane – no attachment download or macro execution is needed.

Technical Details

Vulnerability type: Memory corruption in the Outlook rendering engine (CVE‑2026‑6479). The bug occurs in the handling of specially crafted HTML‑based email bodies that trigger a heap overflow when the preview pane parses certain CSS properties.
Root cause: Insufficient bounds checking on the dwSize field of the HTMLRenderInfo structure. When an attacker supplies an oversized value, Outlook writes beyond the allocated buffer, overwriting adjacent function pointers.
Exploit vector: A single email containing a malicious HTML payload. The payload can be delivered via phishing, compromised mailing lists, or automated spam bots. No user interaction beyond opening the message preview is required.
Affected products:
- Outlook 2016 (Version 16.0.10396.20017 and earlier)
- Outlook 2019 (Version 16.0.10396.20017 and earlier)
- Outlook 2021 (Version 16.0.10396.20017 and earlier)
- Outlook for Microsoft 365 (Version 2308 build 15812.20017 and earlier)
Mitigations in the wild: Some email security gateways have added signatures that block the specific HTML/CSS patterns used by the exploit. However, these signatures are not universally deployed.

Timeline

2026‑03‑12: Vulnerability discovered by the MSRC research team.
2026‑03‑14: Private disclosure to Microsoft.
2026‑03‑20: Microsoft releases security updates for all affected Outlook versions.
2026‑03‑21: CISA adds CVE‑2026‑6479 to the Known Exploited Vulnerabilities (KEV) catalog.
2026‑03‑22: Public advisory published on the Microsoft Security Update Guide.

Mitigation Steps

Deploy the patches immediately – Use Windows Update, WSUS, or Microsoft Endpoint Configuration Manager to install the Outlook updates released on 2026‑03‑20. The update IDs are:
- KB5029387 for Outlook 2016/2019/2021
- KB5029390 for Outlook for Microsoft 365
Disable the preview pane for users who cannot patch immediately. This removes the primary attack surface but reduces usability.
Enforce strict email filtering:
- Block HTML emails containing the background-image:url("data: scheme.
- Enable sandboxing for email rendering where supported (e.g., Microsoft Defender for Office 365 Safe Links and Safe Attachments).
Apply additional hardening:
- Set Outlook.DisablePreviewPane registry key to 1 on high‑risk machines.
- Restrict execution of scripts from email by configuring the Run as user policy in Outlook.
Monitor for Indicators of Compromise (IoCs) – Look for the following in your logs:
- Event ID 1000 from OUTLOOK.EXE with faulting module mshtml.dll.
- Unexpected outbound connections to rare IP ranges shortly after opening an email.
- Creation of new scheduled tasks named OutlookUpdater.

Verification

After patching, verify the version number via File → Office Account → About Outlook. It should show a build number ≥ 15812.20017 for Microsoft 365 or ≥ 10396.20017 for the perpetual versions.

Run the Microsoft Safety Scanner or Windows Defender Offline scan to ensure no remnants of the exploit remain.

References

Microsoft Security Update Guide entry for CVE‑2026‑6479: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-6479
CISA KEV catalog listing: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Official patch download page: https://support.microsoft.com/kb/5029387
Detailed advisory (PDF): https://download.microsoft.com/download/Outlook/CVE-2026-6479-Advisory.pdf

Take action now. The window for exploitation is already open. Deploy patches, tighten email controls, and verify remediation across your environment.

#CVE-2026-6479 #Outlook #Remote Code Execution #Microsoft #Email Security

Critical Remote Code Execution in Microsoft Outlook (CVE‑2026‑6479) – Immediate Action Required