.webp)
Microsoft shipped patches for 138 security vulnerabilities this week as part of May 2026 Patch Tuesday. Most months, the patch list is a mix of medium-priority fixes that IT teams work through over a few weeks. This month is different. Buried in that list is a critical Outlook flaw that security researchers are comparing to one of the most dangerous enterprise vulnerabilities ever discovered - and it requires zero interaction from the person being attacked.
If your team uses Microsoft Outlook (which is most businesses running Microsoft 365), this one warrants attention sooner rather than later.
What Is CVE-2026-40361 and Why Does It Matter?
The vulnerability, tracked as CVE-2026-40361, is a use-after-free bug in Microsoft Word that carries serious implications for Outlook users. Haifei Li, the security researcher who discovered and reported it, flagged this one immediately as particularly concerning.
Here's the core issue: most cyberattacks require a user to do something - click a link, open an attachment, approve a prompt. This one doesn't. According to SecurityWeek's reporting on the vulnerability, the bug is triggered the moment a victim reads or previews an email. No clicks, no attachments, no decision-making required. The attacker sends a specially crafted email, the target opens it (or it appears in the preview pane), and that's enough for the attack to execute.
The technical mechanism sits in Outlook's email rendering engine. The flaw lives in a shared DLL used by both Microsoft Word and Outlook. When Outlook renders the malicious email, that DLL can be exploited to execute arbitrary code on the target machine - essentially handing the attacker control of the system.
What "Zero-Click" Means in Practice
Security training has always leaned heavily on "don't click suspicious links" and "don't open unexpected attachments." It's good advice, and it's kept a lot of businesses safer over the years. But it assumes the attack requires user interaction.
Zero-click bugs flip that assumption. An employee with perfect security habits - someone who scrutinizes every email, never clicks phishing links, and treats attachments with suspicion - can still be compromised just by checking their inbox. That changes the calculus for how businesses need to think about protection.
Li compared CVE-2026-40361 directly to a vulnerability he discovered over a decade ago: CVE-2015-6172, dubbed "BadWinmail", which was called an "enterprise killer" at the time. The new flaw uses the same attack vector and has comparable potential impact. His warning was blunt: "Essentially, anyone could compromise a CEO or CFO just by sending an email. The threat perfectly bypasses enterprise firewalls and is delivered directly to the inbox."
Microsoft has rated this vulnerability as "exploitation more likely" - their signal that the conditions for exploitation are relatively accessible to motivated attackers, even if there's no working exploit in the wild right now.
The Full May 2026 Patch Tuesday Picture
CVE-2026-40361 is the headline, but it's not the only vulnerability worth understanding in this month's release. According to The Hacker News's breakdown of the May 2026 Patch Tuesday, the update addresses 138 vulnerabilities total:
- 30 rated Critical
- 104 rated Important
- 3 rated Moderate
- 1 rated Low
By type: 61 privilege escalation bugs, 32 remote code execution flaws, 15 information disclosure vulnerabilities, 14 spoofing bugs, and 8 denial-of-service vulnerabilities. That's a heavy month. A few others are worth calling out specifically:
Windows DNS Client (CVE-2026-41096, CVSS 9.8)
A heap-based buffer overflow in the Windows DNS client that allows unauthenticated remote code execution. An attacker exploits it by sending a specially crafted DNS response to a vulnerable Windows system, causing the DNS client to corrupt memory and potentially execute the attacker's code. No authentication required. Every Windows machine that resolves DNS queries is potentially in scope here.
Windows Netlogon (CVE-2026-41089, CVSS 9.8)
A stack-based buffer overflow in the Windows Netlogon service, targeting domain controllers. An attacker with network access can send a crafted request to a domain controller and execute code without any credentials. For businesses running Active Directory - which covers most organizations with 10 or more Windows machines - a compromised domain controller means the attacker effectively controls every machine on the network. This one should be patched on servers before anything else.
Windows Hyper-V (CVE-2026-40402, CVSS 9.3)
A use-after-free in Hyper-V that allows privilege escalation to SYSTEM level, with potential access to the Hyper-V host environment itself. Relevant for businesses running virtualized infrastructure on Windows Server.
Microsoft Dynamics 365 On-Premises (CVE-2026-42898, CVSS 9.9)
A code injection vulnerability in the on-premises version of Dynamics 365. If your business runs Dynamics 365 on your own servers rather than the cloud-hosted version, this needs a patch quickly - CVSS 9.9 is about as high as it gets.
What to Do Right Now
The good news: Microsoft has released patches for all of these. According to Cisco Talos's May 2026 Patch Tuesday analysis, none of the vulnerabilities are currently being actively exploited in the wild. But "exploitation more likely" on CVE-2026-40361 means the window before someone develops a working exploit could be shorter than typical.
Step 1: Apply Windows and Office Updates
On Windows 10 and 11 workstations, go to Settings - Windows Update and check for updates. The May 2026 cumulative update addresses the Outlook rendering bug and the Windows DNS/Netlogon vulnerabilities. On Windows Server, check through WSUS or Windows Update directly and apply the May 2026 security patches - domain controllers first.
For Microsoft 365 desktop apps (Outlook, Word, etc.), updates come through the click-to-run mechanism. Verify that automatic updates are enabled and that the current channel has pushed the May 2026 release. In Outlook, go to File - Office Account - Update Options and check for updates manually if you're not sure.
Step 2: Verify Across All Devices
Updating one machine is easy. The harder part is confirming every machine in your organization has received the patch - including remote workers, machines that weren't online during the update window, and servers. In environments without centralized patch management, this typically means manually checking each device or using a reporting tool to verify update status against your device inventory.
Our vulnerability management services include automated scanning that shows exactly which systems are missing which patches, so you're not guessing.
Step 3: Apply the Plain-Text Email Mitigation (While Patches Roll Out)
There's a temporary mitigation that removes the attack surface for CVE-2026-40361 entirely. Setting Outlook to render emails in plain text instead of HTML bypasses the vulnerable rendering path - the attack can't execute if the HTML rendering engine isn't being used.
In Outlook on Windows: File - Options - Trust Center - Trust Center Settings - Email Security - check "Read all standard mail in plain text."
This means formatted emails appear as unformatted text, which is a real inconvenience. Treat it as a temporary measure while patches are rolling out across your organization. For businesses with Active Directory, this setting can be pushed via Group Policy to all machines simultaneously, rather than manually configuring each one.
Step 4: Prioritize Domain Controllers
Given CVE-2026-41089 in Netlogon, domain controllers should get patched before regular workstations and other servers. A domain controller compromise gives an attacker full network access - it's the crown jewel of most Windows environments. Schedule a maintenance window this week if you run on-premise Active Directory.
Why Patching Is Harder Than It Sounds
Every month, Microsoft releases a batch of security updates. Some months it's 50-60 vulnerabilities. This month it's 138. Third-party software - Adobe Reader, browsers, Java, network drivers, antivirus engines - ships patches on completely separate schedules.
Keeping up manually is genuinely difficult without a dedicated IT team. It's not just clicking "update." There are compatibility concerns (some patches break line-of-business software), sequencing requirements, rollback planning, and verification steps. Patches sometimes silently fail to apply. Machines that were offline during the update window get left behind.
For businesses using managed IT services, patch management is systematic - updates are tested, scheduled for off-hours deployment, and verified against a complete device inventory. When a critical vulnerability like this one comes out, the MSP can push patches across an entire environment and confirm completion quickly, not weeks later. That's the practical difference between proactive and reactive patch management.
The Bigger Trend Worth Paying Attention To
Something else notable about this month's Patch Tuesday: 16 of the Windows vulnerabilities were discovered using Microsoft's own AI-driven vulnerability scanning system, MDASH. As AI tools accelerate the pace of vulnerability discovery, the gap between "patch released" and "exploit in the wild" will likely compress further.
Historically, attackers have often targeted known vulnerabilities for which patches have been available for weeks or months - counting on the reality that many organizations patch slowly. According to CISA's Known Exploited Vulnerabilities catalog, a significant portion of actively exploited vulnerabilities had patches available long before exploitation began. The lesson hasn't changed: timely patching is one of the highest-leverage security actions a business can take.
The layered security approach that protects businesses from zero-click attacks includes patching (removes the vulnerability), endpoint detection and response (catches exploitation attempts), network monitoring (detects lateral movement after a breach), and email filtering (blocks malicious messages before they reach the inbox). Each layer covers gaps in the others.
For Outlook specifically, EDR tools can identify the anomalous behavior that follows a successful zero-click exploit - even when the initial exploitation happened silently. That's often how these attacks get caught: not at the entry point, but when the attacker tries to act on the access they've gained.
Frequently Asked Questions
Am I affected if I use Microsoft 365 (cloud-hosted) instead of on-premise Exchange?
Yes - this vulnerability is in the Outlook desktop client itself, not in the mail server. It doesn't matter whether your email is hosted in Microsoft 365 or on a local Exchange server. If your employees use the Outlook desktop app on Windows, those machines need to be patched. The web version of Outlook (Outlook on the web, formerly OWA) is not affected by this specific bug because it uses a different rendering engine in the browser.
How do I verify whether my computers have already been patched?
On Windows 10/11, go to Settings - Windows Update - Update History and look for the May 2026 cumulative update (it will reference "2026-05" in the description). For Outlook specifically, in the app go to File - Office Account and check the version number shown. Microsoft 365 Apps in the Current Channel should be on version 2504 or later after the May update. If you see an older version, click Update Options - Update Now.
What exactly is a "use-after-free" vulnerability?
It's a class of memory bug where software tries to use a chunk of memory after it's been released back to the system. Attackers can manipulate what ends up in that freed memory location before the software tries to use it again - effectively injecting their own code into the process. Use-after-free bugs are notoriously tricky to detect ahead of time and reliable to exploit once a working technique is developed, which is part of why this class of vulnerability gets rated so seriously.
Should I switch away from Outlook to avoid these vulnerabilities?
Switching email clients isn't the right response here. Every major email client - Thunderbird, Apple Mail, Gmail's desktop app - has had critical security vulnerabilities at various points. And changing platforms creates significant disruption, compatibility issues, and costs that far outweigh the risk of a patched vulnerability. The practical answer is: keep Outlook patched, apply the plain-text mitigation temporarily if needed, and have endpoint protection in place.
How often should we expect critical Outlook vulnerabilities like this?
Outlook gets security patches almost every month. True zero-click critical vulnerabilities are rarer - maybe a handful across Microsoft's entire product portfolio per year - but they're not exceptional. Widely used software like Outlook is a high-value target, and security researchers (and attackers) invest significant effort in finding bugs. That's why systematic, automated patch management matters more than responding to any individual high-profile vulnerability.
If you're not certain whether this month's patches have been applied across all your devices, or if patch management is something your team handles reactively rather than systematically, we're happy to do a quick assessment. Reach us at (949) 381-1010 or through our contact page.
