PoC Archive PoC Archive
Critical CVE-2025-21298 patched

Windows OLE Zero-Click RCE via Outlook RTF (CVE-2025-21298)

by ynwarcs · 2026-05-16

CVSS 9.8/10
Severity
Critical
CVE
CVE-2025-21298
Category
binary
Affected product
Microsoft Windows OLE (ole32.dll) as reached by Outlook/Word RTF parsing
Affected versions
Systems missing Microsoft's January 2025 fix for CVE-2025-21298
Disclosed
2026-05-16
Patch status
patched

Metadata

FieldValue
Date Added2026-05-16
Author / Researcherynwarcs
CVE / AdvisoryCVE-2025-21298
Categorybinary
SeverityCritical
CVSS Score9.8 (CVSSv3)
StatusResearched
TagsRCE, zero-click, Outlook, RTF, OLE, ole32, Windows, memory-corruption, unauthenticated
RelatedN/A

Affected Target

FieldValue
Software / SystemMicrosoft Windows OLE (ole32.dll) as reached by Outlook/Word RTF parsing
Versions AffectedSystems missing Microsoft’s January 2025 fix for CVE-2025-21298
Language / PlatformRTF/OLE payloads on Windows
Authentication RequiredNo
Network Access RequiredYes (email delivery path)

Summary

CVE-2025-21298 is a critical Windows OLE memory-corruption vulnerability in ole32.dll that can be triggered through malicious RTF content. In Outlook scenarios, preview-pane rendering is sufficient to trigger the vulnerable parsing flow, making this effectively zero-click for recipients. Public reporting and issue context indicate exploitation in the wild by nation-state operators, and the CVE is listed in CISA KEV. Successful exploitation can lead to remote code execution in the target user context.


Vulnerability Details

Root Cause

The root cause is a double-free condition in ole32.dll!UtOlePresStmToContentsStm. The function releases a stream pointer (pstmContents) and later reaches cleanup logic that can release the same stale pointer again when header parsing fails. The upstream diff and write-up show that Microsoft addressed this by nulling the pointer after the first release.

Attack Vector

An attacker sends a crafted RTF document/email containing malicious OLE presentation stream data. When a vulnerable client parses the content (for example via Outlook preview pane), the OLE conversion path is invoked and the double-free is triggered.

Impact

Remote code execution on vulnerable Windows hosts with no user click required in preview-pane delivery scenarios.


Environment / Lab Setup

OS:          Windows system missing Jan 2025 security update
Target:      Outlook/Word OLE RTF parsing path (ole32.dll)
Attacker:    Remote email sender in authorized test environment
Tools:       Microsoft Outlook/Word, debugger/monitoring tools, supplied PoC RTF

Setup Steps


Proof of Concept

Step-by-Step Reproduction

  1. Use supplied PoC file from this directory.

    1
    
    ls -l cve-2025-21298-poc.rtf
    
  2. Deliver the RTF to a vulnerable Outlook target (authorized lab mailbox) or open with Word.

  3. Observe crash/abnormal behavior in vulnerable builds and inspect call stack for OLE stream handling path (UtOlePresStmToContentsStm).

Exploit Code

See cve-2025-21298-poc.rtf in this folder.

1
{\rtf...<malicious OLE stream content>...}

Expected Output

- Outlook/Word instability or crash on vulnerable build while parsing the RTF
- Debug traces indicating OLE stream conversion path in ole32.dll

Screenshots / Evidence

  • screenshots/ — add authorized crash/debug evidence for vulnerable and patched comparisons.

Detection & Indicators of Compromise

- Suspicious inbound RTF attachments/messages targeting Outlook clients
- Outlook/Word crash events tied to OLE stream processing in ole32.dll
- EDR detections for exploit-like memory-corruption behavior from Office processes

SIEM / IDS Rule (example):

Correlate inbound RTF email + near-time Outlook/Word crash telemetry
with stack/module references to ole32.dll OLE presentation stream parsing.

Remediation

ActionDetail
PatchApply Microsoft’s January 2025 security update addressing CVE-2025-21298
WorkaroundRestrict/disable automatic RTF preview handling where operationally feasible
Config HardeningUse Office Protected View, attachment detonation/sandboxing, and block risky attachment flows

References


Notes

Auto-ingested from https://github.com/ynwarcs/CVE-2025-21298 on 2026-05-16.

The upstream repository describes this as a memory-corruption PoC and not a full weaponized exploit.