IRONSMITHINTEL
CRITICALCVSS9.8
|CVE-2023-21716|Auth: none — previewing an rtf email is sufficient|Reboot: not required|Est. 15 minutes (Office update, no reboot required)|Manual only

KB5002265: Microsoft Word 2016 / 365 Security Update — RTF Heap Corruption (February 2023)

A heap corruption in Word's RTF parser allows remote code execution via a malicious RTF file, triggered from the Outlook Preview Pane without opening the document. Apply KB5002265 — rated 9.8 CRITICAL.

Published Feb 14, 2023 · Updated May 10, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker can achieve remote code execution with the privileges of the user who has Outlook open. Since the attack requires no interaction beyond the email arriving and being previewed, it is a zero-click exploit path in enterprise email environments. A successful attack allows full code execution, credential theft, and lateral movement.

How the attack works

Microsoft Word's RTF parser has a heap corruption vulnerability when processing an RTF document with an excessively large number of fonts in the font table. An attacker can send a malicious RTF document via email. Crucially, Outlook uses Word to render email previews — the vulnerability is triggered in the Outlook Reading Pane without the user opening or clicking anything.

Am I affected?Quick check

Probably yes if any of these apply:

All Windows users with Word/Outlook
IT Administrators
Desktop Support
Running Word 2013, 2016, 2019, 2021; Microsoft 365 Apps prior to February 2023 PU; Word for Mac prior to 16.70

Affected OS versions

Windows 10Windows 11Windows Server 2019Windows Server 2022
Fixed inKB5002265 (February 2023 Security Update for Word 2016)
Real-world incidentsWhat we've seen

Microsoft rated CVE-2023-21716 as 9.8 CRITICAL on February 2023 Patch Tuesday. Proof-of-concept code was published by security researchers showing reliable exploitation. The Preview Pane attack vector means users need not double-click the attachment — simply having Outlook open with the malicious email visible in the reading pane is sufficient to trigger code execution.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5002265

Manual remediation steps

15 minutes (Office update, no reboot required)

Check Office Version

# For Click-to-Run (Microsoft 365 / Office 2021):
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" |
  Select-Object VersionToReport
# Must be >= 16.0.16130.20218 (Current Channel) / 16.0.15928.20298 (Monthly Enterprise)

# For MSI Office 2016/2019:
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Office\16.0\Word\Security" |
  Select-Object ErrorReportingState  # Just to verify registry is accessible

Immediate Workaround

# Disable RTF rendering in Outlook (prevents Preview Pane attack)
# WARNING: This disables viewing RTF emails in the preview pane
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Outlook\Options\Mail" `
  -Name ReadAsPlain -Value 1

Apply KB5002265

    1
    Click-to-Run: File > Account > Update Options > Update Now
    1
    MSI Office 2016: Download KB5002265 from Microsoft Update Catalog Apply via: wusa.exe KB5002265.msu /quiet /norestart

Verify

    1
    Open Word > File > Account > About Word
    1
    Build must be >= 16.0.16130.20218 (Click-to-Run) or show KB5002265 installed
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2023-21716MSRC AdvisoryNVDKBKB5002265
CVEs in this update1 fixes · Patch-to-CVE mapping
Patch IDCVE IDVulnerability Name / TypeCVSSReference
KB5002265CVE-2023-21716Microsoft Word — RTF file format parser9.8NVD ↗