CVE-2026-40361

Name of the Vulnerable Software and Affected Versions Microsoft Office Word (affected versions not specified) Microsoft Outlook (affected versions not specified)

Description A use after free issue in the shared library wwlib.dll allows an unauthorized attacker to execute code locally. In Microsoft Outlook, this can be triggered as a 0-click attack, meaning the issue is activated as soon as a victim reads or previews an email, without requiring the user to click links or attachments. This occurs because the flaw resides in the email rendering engine.

Recommendations As a temporary workaround for Microsoft Outlook, set the application to render emails only in plain text format. At the moment, there is no information about a newer version that contains a fix for this vulnerability.