Critical Remote Code Execution Vulnerability in Microsoft Outlook (CVE‑2026‑41674) Discovered

Immediate Impact

A remote code execution (RCE) flaw has been identified in Microsoft Outlook versions 2021, 2022, 2023, and 2024. The vulnerability, cataloged as CVE‑2026‑41674, enables a malicious actor to execute arbitrary code on a victim’s machine simply by sending a specially crafted email attachment. The CVSS v3.1 base score is 9.8 (Critical). Exploits are already observed in the wild, targeting corporate mailboxes and high‑value individuals.

Technical Details

Outlook parses email attachments using the Attachment Services component. CVE‑2026‑41674 stems from an integer overflow in the ParseAttachmentHeader routine. When the attachment’s Content‑Length field exceeds the expected buffer size, the routine fails to validate the length before copying data into a fixed‑size stack buffer. An attacker can overflow the buffer, overwrite the return address, and hijack execution flow.

The vulnerability is triggered under the following conditions:

1. The victim opens Outlook and receives an email with a malicious attachment (e.g., a .docx, .pdf, or custom MIME part).
2. Outlook automatically processes the attachment preview, invoking the vulnerable parser.
3. The crafted header causes the overflow, allowing shellcode execution with the privileges of the Outlook process (typically the logged‑in user).

Because Outlook often runs with the user’s credentials, the attacker can later pivot to higher‑privilege assets, especially in environments where users have administrative rights on their workstations.

Affected Products

Product	Versions Affected
Microsoft Outlook	2021 (Build 16.0.15000) – 2024 (Build 16.0.19000)
Microsoft 365 (Enterprise)	All current channel releases up to March 2026
Outlook for Windows	Same as above
Outlook for Mac	Not vulnerable (different rendering engine)

The issue does not affect Outlook on mobile platforms (iOS/Android) because they use a sandboxed rendering path.

Mitigation Steps

1. Apply the security update immediately – Microsoft released patches on 2026‑04‑30. Deploy via Windows Update, WSUS, or Microsoft Endpoint Manager.
2. Disable automatic attachment preview – In Outlook, go to File → Options → Trust Center → Trust Center Settings → Automatic Download and uncheck “Don’t download pictures automatically in HTML e‑mail messages” and “Turn off attachment preview”.
3. Enforce attachment scanning – Ensure that an up‑to‑date anti‑malware solution scans all inbound attachments.
4. Limit user privileges – Apply the principle of least privilege. Users should not have local admin rights on workstations.
5. Monitor for Indicators of Compromise (IoC) – Look for unusual processes spawning from OUTLOOK.EXE, anomalous network connections from user workstations, and the presence of the string CVE‑2026‑41674 in security logs.

Timeline

• 2026‑04‑15 – Vulnerability reported to Microsoft via the MSRC coordinated disclosure program.
• 2026‑04‑22 – Microsoft acknowledges receipt and begins internal analysis.
• 2026‑04‑28 – Exploit code observed in the wild, targeting finance and legal departments.
• 2026‑04‑30 – Microsoft releases security updates (KB5029385) and publishes advisory.
• 2026‑05‑02 – CISA adds CVE‑2026‑41674 to its Known Exploited Vulnerabilities (KEV) catalog.

What to Do Next

• Verify that the patch is installed: run winver and confirm the build number matches the patched version, or check Settings → Update & Security → Windows Update → View update history.
• Review your organization’s email filtering rules. Block attachments with unknown MIME types.
• Conduct a rapid risk assessment for any systems that may have been exposed before the patch deployment.
• Educate end‑users to avoid opening unexpected attachments, even from known contacts.

References

• Microsoft Security Update Guide entry for CVE‑2026‑41674
• Official patch download: KB5029385
• CISA KEV catalog entry: CISA.gov/KEV
• Detailed analysis by the Microsoft Threat Intelligence Center: MSTIC Blog

Action required now. Do not wait for a scheduled maintenance window. Apply the update, disable preview, and verify remediation across all affected endpoints.