CVE-2026-40361: zero-click use-after-free vulnerability in the Outlook rendering engine (wwlib.dll)

Remote code execution via the Reading Pane, without user interaction

Executive summary

On May 12, 2026, as part of the monthly Patch Tuesday cycle, Microsoft released a fix for CVE-2026-40361, a critical use-after-free vulnerability (CWE-416) officially classified by the vendor as a “Microsoft Office Word Remote Code Execution Vulnerability” (1) (2). Researcher Haifei Li, founder of the zero-day detection system EXPMON and originally credited with the discovery of BadWinmail (CVE-2015-6172) a decade ago, has publicly claimed the discovery and stated that the flaw resides in wwlib.dll, a dynamic link library shared by Microsoft Word and Microsoft Outlook (3) (4).

According to the demonstrations carried out by the researcher in an Outlook (Classic) + Exchange Server environment, the vulnerability is exploitable without any interaction from the victim: simply rendering the malicious email in the Reading Pane (Preview Pane) is sufficient to trigger the execution chain (3) (5). Microsoft confirms in its advisory that “The Preview Pane is an attack vector” for this CVE as well as for three additional Word RCEs published in the same rollup (CVE-2026-40364, CVE-2026-40366, CVE-2026-40367) (6) (5).

The CVSS 3.1 score assigned by Microsoft is 8.4 (HIGH/Critical). The Exploitability Index is set to “Exploitation More Likely”, meaning the vendor considers it probable that a functional proof-of-concept will emerge within thirty days of publication (5) (6). At the time of writing, Haifei Li has confirmed having produced only a PoC demonstrating the trigger, without reaching code execution in a fully functional exploitation chain (3) (4). No in-the-wild exploitation has been reported to date.

This publication describes the scope, the technical chain, the exploitation prerequisites, the mitigations applicable immediately, and the detection avenues.

1. Identification

CVE identifier: CVE-2026-40361

Official Microsoft designation: Microsoft Office Word Remote Code Execution Vulnerability (2).

Technical designation per the discoverer: 0-click UAF/RCE in Microsoft Outlook, same attack class as BadWinmail (CVE-2015-6172) (3).

Discovery and reporting: Haifei Li (creator of the EXPMON system), in Q1 2026, as part of a dedicated research experiment motivated by his earlier work on BadWinmail. The report and PoC were submitted to the Microsoft Security Response Center (MSRC) under a coordinated disclosure process (3).

Public disclosure: May 12, 2026, simultaneously with the release of the fix in the monthly Patch Tuesday (1) (5).

Vulnerability type: use-after-free (CWE-416) in wwlib.dll.

CVSS 3.1 score: 8.4 (HIGH), vector Local / Attack Complexity Low / Privileges Required None / User Interaction Required (the Reading Pane satisfying the interaction requirement) (6) (5).

Microsoft Exploitability Index: Exploitation More Likely (6).

Sibling vulnerabilities published the same day: CVE-2026-40364 (Exploitation More Likely), CVE-2026-40366 and CVE-2026-40367 (Exploitation Less Likely), all rated CVSS 3.1 = 8.4, all located in the Word document parser, all triggerable via the Reading Pane (6) (5).

Comparisons: CVE-2026-40361 shares the attack vector and impact profile of BadWinmail (CVE-2015-6172), which its discoverer described as an “enterprise killer”. It belongs to the lineage of high-impact Word RCEs such as CVE-2017-11882 (Equation Editor), CVE-2022-30190 (Follina), and CVE-2023-23397 (Outlook EPM NTLM relay) (7) (4).

2. Affected components

The defect resides in wwlib.dll, a shared DLL loaded extensively by Microsoft Word and Microsoft Outlook (3). This implementation explains why the same primitive is exploitable through two distinct vectors:

Opening or previewing a specially crafted Word document (.docx, .doc, .docm, .dot, .dotm, .rtf).
Receiving and rendering a specially crafted email in Outlook, including via the Reading Pane, without any explicit opening of the message (3) (4).

Products confirmed affected by Microsoft (1) (8):

Microsoft 365 Apps for Enterprise (all update channels).
Microsoft Office LTSC 2024.
Microsoft Office 2021.
Microsoft Office 2019.
Microsoft Office 2016 (security-only update; the shared code path remains present in this extended-support version).
Corresponding standalone Word SKUs.
On-premises SharePoint deployments integrating Office Online Server for document rendering.

Microsoft Outlook (Classic) is explicitly identified by Haifei Li as an exploitable target. The researcher emphasizes that Outlook (Classic) does not implement an application sandbox, which compounds the severity of this attack vector compared to sandboxed clients (3).

3. Technical description

3.1. General principle

A use-after-free vulnerability is a memory corruption condition in which a program continues to reference a memory block after the allocator has already freed it. The reference and the allocation drift out of sync: an attacker capable of triggering new allocations in the interval can place attacker-controlled data at the freed location. When the original code path later dereferences a pointer (vtable, callback, function pointer) now under attacker control, execution flow is diverted to a chosen address (5).

In the context of wwlib.dll, the freed object that is reused is an element of the parsed document: a style record, an embedded OLE container, a shape, a font handle, or an equivalent structure of the rendering engine (5).

3.2. Outlook vector

When Outlook receives a message in HTML or RTF format containing content rendered via wwlib.dll, the rendering engine is invoked automatically when the message is selected in the Reading Pane, or when it is opened. Parsing of the specially crafted content triggers the memory corruption before any action from the user beyond simple navigation in the inbox (3) (4).

This trigger mode presents three operational characteristics unfavorable to the defender:

Rendering occurs upon reception of the message, independently of any click on an attachment or link.
The attack surface is positioned downstream of enterprise mail gateways, the content being delivered directly to the recipient’s inbox.
Classic mitigations (blocking external links, blocking macros, attachment filtering) are bypassed by design, the rendering engine acting on the body of the message itself.

3.3. Word and Windows Explorer vectors

The same primitives are triggerable via:

Opening a specially crafted Word document in the Word client.
Previewing such a document in the Windows File Explorer Preview Pane, which invokes the same shared parsing code path (5).

Microsoft notes in the advisory that the Outlook Reading Pane and the Explorer Preview Pane share the parser and the memory layout, making the primitive identical regardless of the entry point (5).

3.4. Proof-of-concept status

Haifei Li has publicly stated that he developed only a PoC demonstrating the trigger of the defect. He clarifies that he did not seek to produce a complete exploit reaching code execution, MSRC not having required such a demonstration to validate the criticality (4). The researcher estimates that achieving reliable code execution on Outlook would still be difficult, while not ruling out that threat actors may succeed (4).

4. Impact scope

4.1. Direct impact

Successful exploitation would allow a remote attacker to execute arbitrary code on the victim’s endpoint, with the privileges of the Outlook or Word process, that is, those of the current user. If the victim holds local administrative rights, the attacker obtains equivalent control (9).

Expected consequences include:

Theft of data accessible to the user (mailbox, local files, mounted cloud files).
Exfiltration of stored credentials (Windows Credential Manager, authentication tokens, NTLM hashes via relay-type attacks).
Deployment of persistent implants.
Lateral movement within the environment, abuse of Exchange access, post-compromise actions.

4.2. High-risk targets

The attack profile favors the targeting of individuals whose email address is public or discoverable, and whose compromise carries strategic value: executives (CEO, CFO), finance managers, human resources teams, procurement teams, legal teams, journalists, diplomatic personnel, populations under targeted threat regime (3).

4.3. Environment scope

Exposure concerns any Windows endpoint running a supported version of Office or Word listed in section 2 and receiving emails from the Internet. Exchange servers are not vulnerable themselves in the sense that they do not execute the defective code, but they constitute the delivery channel for malicious content toward Outlook clients.

5. Exploitation prerequisites

Condition	CVE-2026-40361
Initial access required	None (delivery via incoming email)
Initial privileges	None
User Interaction (CVSS)	Required, but satisfied by automatic rendering in the Reading Pane
Attack vector	Local (CVSS terminology), via Word/Outlook rendering
Sender authentication	Not required
Module or component required on target	`wwlib.dll` (present by default in any supported Office installation)

Typical initial access vectors are direct email delivery from the Internet to a publicly exposed mailbox, targeting via public mailing lists, and pivoting from a previously compromised mailbox within a same trusted domain.

6. Detection

6.1. Limits of existing controls

Microsoft, Field Effect, and several analysts emphasize that classic mail controls (SEG, attachment filtering, link filtering) are structurally ineffective against this type of chain, the trigger residing in the body of the rendered message itself (9) (3). EDR tools do not have reliable visibility into the Reading Pane rendering path, which makes post-execution behavioral detection a priority over upstream detection.

6.2. Relevant behavioral indicators

The following elements constitute high-priority investigation signals:

Abnormal crash of the OUTLOOK.EXE or WINWORD.EXE process when receiving an email or previewing a document, accompanied by dump generation or an Application Error event.
Creation of unusual child processes by OUTLOOK.EXE or WINWORD.EXE, particularly cmd.exe, powershell.exe, mshta.exe, rundll32.exe, regsvr32.exe, wscript.exe, or any LOLBAS executable.
Outbound connection established by OUTLOOK.EXE or WINWORD.EXE to non-inventoried infrastructure.
Loading of unusual modules in the memory space of OUTLOOK.EXE or WINWORD.EXE.
Creation of persistence artifacts (Run keys, scheduled tasks, services) following the rendering of an email.

6.3. Rules and signatures

At the time of writing, no public signature specific to CVE-2026-40361 is distributed. Generic behavioral rules targeting abusive child processes of Office applications (Microsoft Defender Attack Surface Reduction rule “Block all Office applications from creating child processes”) remain relevant (9).

Microsoft has published its MSRC advisory and will continue to enrich the CVE page in case of observed active exploitation. Monitoring MSRC notifications is recommended (1).

6.4. Public IOCs

No public IOC specific to in-the-wild exploitation is distributed at the time of writing. No functional exploit is publicly available, the PoC by Haifei Li not having been released beyond the demonstration provided to MSRC (4).

7. Mitigations

7.1. Patch application (priority target)

Applying the Microsoft Office updates released on May 12, 2026, constitutes the only complete and reliable mitigation (1) (8). Distribution is performed via:

Windows Update and Microsoft Update for Business for managed endpoints.
Microsoft Update Catalog for manual installations.
Microsoft 365 Apps update channels (Current Channel, Monthly Enterprise Channel, Semi-Annual Enterprise Channel) according to the organization’s policy.
Office 2016 receives a security-only update due to code path sharing with newer versions (5).

Administrators should prioritize deployment on high-risk populations identified in section 4.2.

7.2. Immediate mitigation: plain text rendering in Outlook

This mitigation is explicitly recommended by Haifei Li and echoed in several advisories. It blocks invocation of the HTML/RTF rendering engine concerned by the vulnerability (3) (9).

Configuration via Group Policy:

User Configuration
  -> Administrative Templates
     -> Microsoft Outlook 20XX
        -> Outlook Options
           -> Preferences
              -> E-mail Options
                 -> "Read all standard mail in plain text": Enabled
                 -> "Read all digitally signed mail in plain text": Enabled

Configuration via registry:

HKEY_CURRENT_USER\Software\Microsoft\Office\<version>\Outlook\Options\Mail
  ReadAsPlain (DWORD) = 1

Side effect: loss of HTML formatting, inline images, stylesheets, and disruption of internal workflows relying on formatted emails (signatures, newsletters, application notifications).

7.3. Immediate mitigation: disabling the Reading Pane

Disabling the Reading Pane removes automatic rendering on navigation within the inbox (5). Explicit opening of a message remains possible and will trigger the rendering at that point.

Outlook: View > Reading Pane > Off, or GPO deployment via the corresponding Outlook administrative template.

Windows File Explorer: disabling the Preview Pane via View > Show > Preview Pane.

7.4. Complementary mitigation: gateway filtering

Several analysts recommend, in addition to patching, hardening the secure email gateway (SEG):

Block .docx, .doc, .docm, .dot, .dotm, .rtf attachments from unsigned external senders (5).
Rewrite incoming HTML/RTF content to plain text for high-risk populations.
Quarantine messages from mail infrastructures without valid SPF/DKIM/DMARC policy.

These measures reduce the attack surface without eliminating it, the exact vector residing in the rendered message body rather than in an attachment.

7.5. Enabling Attack Surface Reduction rules (ASR)

For Microsoft Defender for Endpoint environments, enabling the following ASR rules provides an additional layer of defense in depth:

Block all Office applications from creating child processes (D4F940AB-401B-4EFC-AADC-AD5F3C50688A).
Block Office applications from creating executable content (3B576869-A4EC-4529-8536-B80A7769E899).
Block Office applications from injecting code into other processes (75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84).
Block Win32 API calls from Office macros (92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B).

These rules do not prevent the memory corruption itself, but limit the impact of subsequent payloads.

8. Comparison with prior vulnerabilities

Vulnerability	CVE	Type	Trigger vector	Reading Pane
BadWinmail	CVE-2015-6172	Object linking and embedding	Outlook rendered email	Yes
Equation Editor	CVE-2017-11882	Stack buffer overflow	Word document	No
Follina	CVE-2022-30190	MSDT protocol handler abuse	Word document	Partial
Outlook EPM	CVE-2023-23397	NTLM relay via PidLidReminderFileParameter	Outlook email	Yes
CVE-2026-40361	CVE-2026-40361	Use-after-free (`wwlib.dll`)	Outlook email / Word document	Yes

CVE-2026-40361 is distinguished by the combination of four properties unfavorable to the defender: zero-click triggering via the Reading Pane, direct delivery into the inbox, absence of an application sandbox in Outlook (Classic), and sharing of the code path with Word and Windows File Explorer, which multiplies entry points for the same primitive.

9. CERT / VOC recommendations

Short term (immediate)

Identify the supported Office population within the perimeter, distinguishing affected versions (Microsoft 365 Apps, Office LTSC 2024, Office 2021, Office 2019, Office 2016 security-only).
Initiate the deployment campaign for the Microsoft Office updates released on May 12, 2026, prioritizing high-risk populations (executives, finance, HR, procurement, legal, external communications).
For endpoints that cannot be patched immediately, deploy as a temporary mitigation the plain text rendering in Outlook (section 7.2) and/or the disabling of the Reading Pane (section 7.3).
Enable or reinforce Microsoft Defender for Endpoint ASR rules listed in section 7.5.
Communicate to concerned users the zero-click nature of the threat, specifying that no action on their part (click, opening of an attachment) is required to trigger exploitation, in order to avoid false reassurance linked to classic phishing awareness campaigns.

Short to medium term

Deploy EDR monitoring focused on abnormal child processes of OUTLOOK.EXE and WINWORD.EXE, as well as on outbound connections initiated by these processes.
Verify effective application of patches across the entire estate and report deviations to the remediation plan.
For environments handling sensitive correspondence with external senders (lawyers, media, NGOs, public administration), evaluate the relevance of permanent plain text rendering for these populations.

Medium term

Integrate CVE-2026-40361 into threat hunting scenarios covering endpoint compromise via zero-click mail vectors.
Reassess the migration posture toward Outlook (new) or web-based Outlook clients benefiting from an application sandbox, weighing functional constraints.
Monitor the publication of potential public functional exploits and the emergence of in-the-wild exploitation, and trigger a reassessment of the response posture accordingly.
Document in internal CERT procedures the “zero-click via Reading Pane” pattern as a distinct incident class, distinguishing detection (post-execution behavioral signals) from prevention (patching and configuration hardening).

10. Disclosure timeline

Q1 2026: discovery of the vulnerability by Haifei Li as part of a dedicated research experiment, motivated by the conclusions drawn ten years earlier from BadWinmail (3).
Q1 2026: private report to the Microsoft Security Response Center (MSRC), with demonstration of the trigger in a live Outlook + Exchange Server environment (3).
May 12, 2026: release of the fix in the May 2026 monthly Patch Tuesday, simultaneously with the public disclosure of the MSRC advisory (1) (5).
May 12, 2026: publication by Haifei Li of a detailed thread on X describing the nature of the vulnerability, its Outlook vector, and patching recommendations (3).
May 13, 2026 and following days: pickup by third-party analyses (SecurityWeek, Field Effect, Tenable, Windows News, gblock.app) confirming the UAF classification, the CVSS 8.4 score, the “Exploitation More Likely” index, and the zero-click via Reading Pane property (4) (9) (6) (5).

Sources

(1) Microsoft Security Response Center, CVE-2026-40361 Microsoft Office Word Remote Code Execution Vulnerability, official advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40361
(2) cvefeed.io, CVE-2026-40361 Microsoft Word Remote Code Execution Vulnerability, descriptive entry: https://cvefeed.io/vuln/detail/CVE-2026-40361
(3) Haifei Li (@HaifeiLi), X post dated May 12, 2026, describing CVE-2026-40361, its Outlook vector, and the comparison with BadWinmail: https://x.com/HaifeiLi/status/2054268761528823931
(4) SecurityWeek, Microsoft Patches Critical Zero-Click Outlook Vulnerability Threatening Enterprises: https://www.securityweek.com/microsoft-patches-critical-zero-click-outlook-vulnerability-threatening-enterprises/
(5) gblock.app, Word Bug CVE-2026-40361 Triggers in Outlook’s Preview Pane: https://www.gblock.app/articles/microsoft-word-preview-pane-rce-cve-2026-40361
(6) Tenable Research, May 2026 Microsoft Patch Tuesday: https://www.tenable.com/blog/microsofts-may-2026-patch-tuesday-addresses-118-cves-cve-2026-41103
(7) Windows News, CVE-2026-40361 Microsoft Word Remote Code Execution Vulnerability Demands Immediate Patching: https://windowsnews.ai/article/cve-2026-40361-microsoft-word-remote-code-execution-vulnerability-demands-immediate-patching.417953
(8) zecurit.com, Patch Tuesday May 2026 Security Updates & CVE Analysis: https://zecurit.com/endpoint-management/patch-tuesday/
(9) Field Effect, Microsoft Office update fixes Word RCE triggered via Outlook emails: https://fieldeffect.com/blog/word-rce-via-outlook-emails

CTI & OSINT, Vulnerabilities & Alerts