A new CVE‑2026‑42959 flaw in Microsoft Outlook allows unauthenticated attackers to execute arbitrary code via crafted email messages. The vulnerability scores 9.8 CVSS, affects Outlook 2016‑2021 and Outlook for Microsoft 365, and is being actively exploited. Microsoft has released patches for all supported versions; organizations must apply them immediately and enforce safe email handling policies.
Immediate Impact
A remote code execution (RCE) flaw has been identified in Microsoft Outlook. The vulnerability, tracked as CVE‑2026‑42959, enables an unauthenticated attacker to run arbitrary code on a victim’s machine simply by sending a specially crafted email. Microsoft’s own advisory flags the issue as critical, assigning a CVSS v3.1 base score of 9.8.
If exploited, the attacker can:
- Install malware or ransomware without user interaction.
- Harvest credentials stored in the Outlook profile.
- Pivot to other systems on the internal network.
The vulnerability is being leveraged in the wild as of early May 2026. Early reports indicate phishing campaigns that embed malicious Rich Text Format (RTF) payloads targeting large enterprises.
Technical Details
Affected Products
| Product | Versions Affected | Support Status |
|---|---|---|
| Microsoft Outlook (stand‑alone) | 2016, 2019, 2021 | Fully supported |
| Outlook for Microsoft 365 (Windows) | Current channel, Semi‑annual Enterprise Channel | Fully supported |
| Outlook for Mac | 2022‑2025 | Fully supported |
| Outlook on iOS/Android | 5.0‑5.3 | Fully supported |
The flaw resides in the RTF rendering engine used when Outlook parses inbound messages. A crafted RTF object can overflow a fixed‑size buffer, corrupting adjacent heap structures. The overflow bypasses Address Space Layout Randomization (ASLR) by corrupting a function pointer in a known module (mshtml.dll). When the pointer is dereferenced, attacker‑controlled shellcode executes with the privileges of the logged‑in user.
Exploit Chain
- Email Delivery – Attacker sends an email containing a malicious RTF attachment.
- Automatic Preview – Outlook’s preview pane automatically renders the RTF content, triggering the overflow.
- Heap Spray – The payload includes a heap spray that positions shellcode at a predictable address.
- Control Transfer – Corrupted function pointer redirects execution to the shellcode.
- Payload Execution – Shellcode downloads and runs a second‑stage payload, typically a ransomware or credential‑stealer.
The vulnerability does not require the user to open the attachment; merely previewing the message is sufficient. This behavior mirrors the historic CVE‑2021‑26855 Exchange exploit, but the attack surface is broader because Outlook is installed on virtually every Windows workstation.
Mitigation Steps
- Apply the Patch – Microsoft released security updates on May 14, 2026 for all affected Outlook versions. Download from the official Microsoft Update Catalog or via Windows Update.
- Disable Automatic Preview – In Outlook, go to File → Options → Trust Center → Trust Center Settings → Automatic Download and uncheck “Turn on automatic picture download in HTML e‑mail” and “Enable preview for attachments”.
- Enable Enhanced Attachment Scanning – Deploy Microsoft Defender for Endpoint with the “Block potentially unwanted applications” policy enabled.
- Restrict RTF Rendering – Use Group Policy to force Outlook to treat all inbound messages as plain text:
User Configuration → Administrative Templates → Microsoft Outlook → Mail → Compose messages → Compose messages in plain text. - Network‑Level Filtering – Configure email gateways (Proofpoint, Mimecast, etc.) to strip RTF content or quarantine messages with RTF attachments from unknown senders.
- Monitor for Indicators of Compromise (IOCs) – Look for processes named
outlook.exespawningmshtml.dllwith anomalous command‑line arguments, or outbound connections to known malicious C2 domains listed in the Microsoft Threat Intelligence portal.
Timeline
- April 28, 2026 – Initial reports of anomalous RTF‑based phishing observed by several SOCs.
- May 2, 2026 – Microsoft acknowledges a vulnerability in internal tracking.
- May 10, 2026 – Public disclosure of CVE‑2026‑42959 via the Microsoft Security Update Guide.
- May 14, 2026 – Security patches released for all supported Outlook versions.
- May 16, 2026 – CISA adds CVE‑2026‑42959 to its Known Exploited Vulnerabilities (KEV) catalog.
What to Do Now
- Verify that the latest Outlook update (KB 5078953 or later) is installed on every workstation.
- Enforce the configuration changes listed in the mitigation section via Group Policy or Intune.
- Run a forced update of Microsoft Defender signatures and enable cloud‑delivered protection.
- Conduct a rapid scan for the IOCs provided in the Microsoft Defender Threat Intelligence portal.
- Educate users about the new phishing vector: Do not preview attachments from unknown senders.
Failure to act quickly could result in ransomware outbreaks similar to the 2023 LockBit wave. The window for exploitation is already open; the only defense is immediate patching and hardened email handling.
References
- Microsoft Security Update Guide entry for CVE‑2026‑42959
- CISA KEV Catalog entry: CVE‑2026‑42959
- Official patch download: Microsoft Update Catalog
Comments
Please log in or register to join the discussion