Home

Description

Deserialization of untrusted data in Microsoft Office Outlook allows an unauthorized attacker to perform spoofing over a network.

PUBLISHED Reserved 2025-12-30 | Published 2026-02-10 | Updated 2026-02-23 | Assigner microsoft




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

Problem types

CWE-502: Deserialization of Untrusted Data

Product status

16.0.1 (custom) before https://aka.ms/OfficeSecurityReleases
affected

19.0.0 (custom) before https://aka.ms/OfficeSecurityReleases
affected

16.0.1 (custom) before https://aka.ms/OfficeSecurityReleases
affected

16.0.0 (custom) before https://aka.ms/OfficeSecurityReleases
affected

16.0.1 (custom) before 16.106.26020821
affected

16.0.0 (custom) before 16.106.26020821
affected

16.0.0 (custom) before 16.0.5539.1002
affected

16.0.0 (custom) before 16.0.10417.20097
affected

16.0.0 (custom) before 16.0.19127.20518
affected

16.0.1 (custom) before 16.0.5539.1002
affected

References

msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21511 (Microsoft Outlook Spoofing Vulnerability) vendor-advisory patch

cve.org (CVE-2026-21511)

nvd.nist.gov (CVE-2026-21511)

Download JSON