Description
Deserialization of untrusted data in Microsoft Office Outlook allows an unauthorized attacker to perform spoofing over a network.
Published: 2026-02-10
Score: 7.5 High
EPSS: 3.6% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability involves the deserialization of untrusted data in Microsoft Office Outlook, which is an instance of Untrusted Deserialization (CWE‑502). An attacker who can supply crafted data to Outlook can exploit this flaw to spoof sender addresses over a network. This spoofs authentication, enabling the attacker to impersonate legitimate users and potentially deliver malicious content, undermining both the integrity and confidentiality of email communications.

Affected Systems

Affected products include Microsoft 365 Apps for Enterprise, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC for Mac 2024, Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, Microsoft SharePoint Server Subscription Edition, and Microsoft Word 2016. All current releases of these products may be vulnerable, as no product‑specific version details are provided.

Risk and Exploitability

The CVSS base score of 7.5 indicates high severity, while the EPSS score of 4% shows that, although exploitation has been observed, it remains relatively uncommon. The vulnerability is not listed in the CISA KEV catalog, reflecting a lower immediate threat level. Attackers would need to deliver malicious data to Outlook components over the network, making the likely attack vector remote. If successful, the exploit could compromise the integrity of email messages and facilitate phishing or other spoofing attacks.

Generated by OpenCVE AI on June 18, 2026 at 11:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft security update that addresses CVE-2026-21511 to all affected Office and Outlook installations
  • Upgrade SharePoint and Word components with the latest cumulative update that contains the fix
  • Implement email authentication (SPF, DKIM, DMARC) to protect against spoofing while awaiting the patch

Generated by OpenCVE AI on June 18, 2026 at 11:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft office
Microsoft office Long Term Servicing Channel
Microsoft word
CPEs cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:word:2016:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:word:2016:*:*:*:*:*:x86:*
Vendors & Products Microsoft office
Microsoft office Long Term Servicing Channel
Microsoft word

Wed, 11 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description Deserialization of untrusted data in Microsoft Office Outlook allows an unauthorized attacker to perform spoofing over a network.
Title Microsoft Outlook Spoofing Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Microsoft word 2016
Weaknesses CWE-502
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:word_2016:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Microsoft word 2016
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C'}


Subscriptions

Microsoft 365 Apps Office Office 2019 Office 2021 Office 2024 Office Long Term Servicing Channel Office Macos 2021 Office Macos 2024 Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019 Word Word 2016
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-11T21:25:37.125Z

Reserved: 2025-12-30T18:10:54.845Z

Link: CVE-2026-21511

cve-icon Vulnrichment

Updated: 2026-02-11T15:45:37.079Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:33.337

Modified: 2026-06-17T10:18:45.297

Link: CVE-2026-21511

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T11:15:03Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data