CVE‑2026‑37460 – Remote Code Execution in Outlook 2026

Immediate Impact

• Affected product: Microsoft Outlook 2026 (desktop and web). Versions 2026.1.0 through 2026.3.5.
• Severity: CVSS v3.1 base score 9.8 (Critical).
• Exploit vector: Remote. An attacker can send a specially crafted email attachment that, when opened, executes arbitrary code with the current user’s privileges.
• Real‑world risk: Phishing campaigns could deliver malicious attachments that bypass standard security checks.

Technical Details

1. Vulnerability type: Improper handling of the MIME header in the attachment parsing engine.
2. Trigger: An email containing a multipart/related body with a nested attachment that includes a malformed Content-Disposition header. The parser fails to validate the boundary string, leading to a buffer overflow.
3. Exploit chain:
   • Attacker crafts email with malicious attachment.
   • Victim opens email in Outlook.
   • Parser reads boundary, overflows stack.
   • Control flow hijacked to attacker‑supplied shellcode.
   • Code executes with user context.
4. Affected components: Outlook.exe (desktop), Outlook Web App (OWA) rendering engine.
5. Root cause: Lack of bounds checking in the MIME boundary parsing routine.

Mitigation Steps

1. Apply the security update immediately. Download from the Microsoft Update Catalog or enable automatic updates.
   • Link: https://www.catalog.update.microsoft.com/Search.aspx?q=Outlook+2026+CVE-2026-37460
2. Disable automatic attachment opening in Outlook settings until the patch is applied.
   • Navigate to File → Options → Trust Center → Trust Center Settings → Attachment Handling.
3. Configure Exchange Transport Rules to block attachments with suspicious MIME types.
   • Example rule: If attachment MIME type = "application/octet-stream" then block.
4. Educate users about phishing. Do not open attachments from unknown senders.
5. Enable Microsoft Defender for Office 365 to add an extra layer of protection.
   • Link: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/microsoft-defender-for-office-365

Timeline

• 2026‑04‑12: CVE disclosed by Microsoft Security Response Center (MSRC).
• 2026‑04‑15: Public advisory released.
• 2026‑04‑18: Security update rolled out to all supported Outlook 2026 installations.
• 2026‑04‑20: Microsoft recommends disabling automatic attachment opening until the update is confirmed.

What to Do Now

1. Verify your Outlook version using Help → About Outlook.
2. Check for pending updates in Windows Update or Office Update.
3. Apply the update as soon as possible.
4. Follow the mitigation steps above.

Further Resources

• MSRC advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-37460
• Outlook security best practices: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/office-365-security-basics
• Microsoft Defender for Office 365 documentation: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/microsoft-defender-for-office-365

Do not delay. The flaw is actively exploited in the wild. Apply the patch, enforce attachment controls, and monitor for suspicious email activity.