Windows OLE Use-After-Free — Outlook Preview-Pane RCE With No User Interaction (CVE-2025-21298)
A use-after-free in Windows OLE allows remote code execution when Outlook previews a specially crafted email — no clicks required. Apply the January 2025 cumulative update, or configure Outlook to render messages as plain text until patched.
An attacker who can email the victim — internal user, external phisher, or any inbox-spam path — can execute code in the user's context the moment Outlook previews the message. On a server where Outlook is installed (e.g. a jump host, RDS session host with Office, or admin workstation accessed via remote console), this is a path to interactive code execution with the privileges of whatever account is signed in. On RDS deployments this typically yields a foothold inside the broader environment.
A use-after-free vulnerability in Windows OLE is triggered when Outlook automatically parses a crafted RTF-encoded email in the reading pane. The flaw lets a remote attacker corrupt heap memory and ultimately execute arbitrary code in the user's context. Affected: Windows 10/11 and Windows Server 2008 SP2 through Windows Server 2025, prior to the January 2025 Patch Tuesday. Microsoft rates exploitation "More Likely" because the trigger is automatic email preview — the attacker only needs the victim's mailbox to receive the message.
Probably yes if any of these apply:
Affected OS versions
CVE-2025-21298 was reported by an anonymous researcher and patched in the January 2025 Patch Tuesday rollup. Microsoft's only pre-patch workaround was configuring Outlook to display messages as plain text — a setting most enterprises cannot deploy without serious user complaints. Multiple security firms published technical analyses within days; a working PoC that triggers controlled heap corruption was demonstrated publicly. The wormable, no-click delivery path makes this comparable to historical Outlook/MSHTML preview-pane bugs.
Manual remediation steps
⏱ 30–60 minutes including rebootWorkaround until patched — Outlook plain-text reading
# Force Outlook to read messages as plain text (per-user setting).
# Substitute the correct Office version in the registry path (16.0 for current).
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Outlook\Options\Mail" -Force
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Outlook\Options\Mail" `
-Name "ReadAsPlain" -Value 1 -Type DWord
# Users must restart Outlook for the setting to take effect.
Group Policy deployment of the workaround
# Office Group Policy Templates → Microsoft Outlook → Outlook Options →
# Preferences → E-mail Options → "Read all standard mail in plain text" = Enabled
Apply the January 2025 cumulative update
CVE-2025-21298 to find the current superseding cumulative for your OSVerify
# Confirm the OLE binary is patched:
(Get-Item C:\Windows\System32\ole32.dll).VersionInfo.FileVersion
# After verification, remove the plain-text workaround if applied.
Per-OS KB reference
Per-Windows-Server-version KB mapping for this vulnerability. Each KB is the cumulative update that contains the fix for the listed OS version. Apply the KB for the OS you are running.
| Windows Server version | Cumulative update | Microsoft Update Catalog | |---|---|---| | Windows Server 2012 R2 | KB5050048 | https://catalog.update.microsoft.com/Search.aspx?q=KB5050048 | | Windows Server 2016 | KB5049993 | https://catalog.update.microsoft.com/Search.aspx?q=KB5049993 | | Windows Server 2019 | KB5050008 | https://catalog.update.microsoft.com/Search.aspx?q=KB5050008 | | Windows Server 2022 | KB5049983 | https://catalog.update.microsoft.com/Search.aspx?q=KB5049983 | | Windows Server 2025 | KB5050009 | https://catalog.update.microsoft.com/Search.aspx?q=KB5050009 |
This per-OS KB table was added 2026-05-21 from MSRC ingestion data. Verify each KB against the live MSRC advisory for your environment.
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
References