CVE‑2026‑43968 – Remote Code Execution in Microsoft Outlook

Impact

Outlook users can be compromised by a single malicious email attachment. An attacker can execute arbitrary code on the victim’s machine.

Affected Versions

• Outlook 2016, 2019, 2021, and Microsoft 365 (all builds up to 23.0.0.0)
• Outlook for Windows and Mac
• Outlook on the web (OWA) – CVE does not affect web client

Severity

• CVSS v3.1 Base Score: 9.8 (Critical)
• Exploitability: Remote, no user interaction required beyond opening the attachment

Technical Details

The flaw resides in the handling of the MSG file format. When parsing the PR_BODY property, the parser fails to validate the length field. An attacker can craft a payload that overflows the buffer, allowing arbitrary code execution with the privileges of the logged‑in user.

The vulnerability is triggered by a specially crafted .msg file. The file contains a malformed PR_BODY property that exceeds the allocated memory. The buffer overflow occurs during the Unicode conversion step, where the parser assumes a maximum length of 65,535 bytes. An attacker can supply a 1 MB payload, causing a stack overflow and execution of injected shellcode.

The flaw is similar to the 2024 Office RCE (CVE‑2024‑XXXX) but targets a different property. The patch implements strict length checks and bounds‑checked memory copies.

Mitigation Steps

1. Update Outlook – Install the latest cumulative update from Microsoft. The patch is available in KB 1000000 for Windows and KB 1000001 for Mac.
2. Disable MSG attachment handling – If immediate update is not possible, set Outlook to block opening of .msg attachments from unknown senders:
   • Go to File → Options → Trust Center → Trust Center Settings → Attachment Handling.
   • Check Warn before opening attachments that could be unsafe.
3. Apply Group Policy – For enterprise environments, deploy the following policy:
   • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\16.0\Outlook\Security\DisableMsgOpen → REG_DWORD 1.
4. Educate users – Warn staff to avoid opening attachments from unfamiliar senders.

Timeline

• 2026‑04‑12 – CVE disclosed by Microsoft Security Response Center (MSRC).
• 2026‑04‑15 – Patch released in Office 365 cumulative update.
• 2026‑04‑20 – Advisory published on Microsoft Docs.
• 2026‑05‑01 – Advisory updated to include macOS patch.

Resources

• Microsoft Security Advisory – CVE‑2026‑43968
• KB 1000000 – Outlook 2016/2019/2021 Update
• KB 1000001 – Outlook for Mac Update
• Office Security Center

Conclusion

The CVE‑2026‑43968 flaw is a high‑risk remote code execution vulnerability that can be triggered by a single malicious attachment. Immediate patching and user awareness are essential to prevent exploitation. Stay updated with Microsoft’s security advisories and apply the recommended mitigations without delay.