Windows OLE Zero-Click RCE via Outlook RTF (CVE-2025-21298)
by ynwarcs · 2026-05-16
- Severity
- Critical
- CVE
- CVE-2025-21298
- Category
- binary
- Affected product
- Microsoft Windows OLE (ole32.dll) as reached by Outlook/Word RTF parsing
- Affected versions
- Systems missing Microsoft's January 2025 fix for CVE-2025-21298
- Disclosed
- 2026-05-16
- Patch status
- patched
References
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-05-16 |
| Author / Researcher | ynwarcs |
| CVE / Advisory | CVE-2025-21298 |
| Category | binary |
| Severity | Critical |
| CVSS Score | 9.8 (CVSSv3) |
| Status | Researched |
| Tags | RCE, zero-click, Outlook, RTF, OLE, ole32, Windows, memory-corruption, unauthenticated |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | Microsoft Windows OLE (ole32.dll) as reached by Outlook/Word RTF parsing |
| Versions Affected | Systems missing Microsoft’s January 2025 fix for CVE-2025-21298 |
| Language / Platform | RTF/OLE payloads on Windows |
| Authentication Required | No |
| Network Access Required | Yes (email delivery path) |
Summary
CVE-2025-21298 is a critical Windows OLE memory-corruption vulnerability in ole32.dll that can be triggered through malicious RTF content. In Outlook scenarios, preview-pane rendering is sufficient to trigger the vulnerable parsing flow, making this effectively zero-click for recipients. Public reporting and issue context indicate exploitation in the wild by nation-state operators, and the CVE is listed in CISA KEV. Successful exploitation can lead to remote code execution in the target user context.
Vulnerability Details
Root Cause
The root cause is a double-free condition in ole32.dll!UtOlePresStmToContentsStm. The function releases a stream pointer (pstmContents) and later reaches cleanup logic that can release the same stale pointer again when header parsing fails. The upstream diff and write-up show that Microsoft addressed this by nulling the pointer after the first release.
Attack Vector
An attacker sends a crafted RTF document/email containing malicious OLE presentation stream data. When a vulnerable client parses the content (for example via Outlook preview pane), the OLE conversion path is invoked and the double-free is triggered.
Impact
Remote code execution on vulnerable Windows hosts with no user click required in preview-pane delivery scenarios.
Environment / Lab Setup
OS: Windows system missing Jan 2025 security update
Target: Outlook/Word OLE RTF parsing path (ole32.dll)
Attacker: Remote email sender in authorized test environment
Tools: Microsoft Outlook/Word, debugger/monitoring tools, supplied PoC RTF
Setup Steps
| |
Proof of Concept
Step-by-Step Reproduction
Use supplied PoC file from this directory.
1ls -l cve-2025-21298-poc.rtfDeliver the RTF to a vulnerable Outlook target (authorized lab mailbox) or open with Word.
Observe crash/abnormal behavior in vulnerable builds and inspect call stack for OLE stream handling path (
UtOlePresStmToContentsStm).
Exploit Code
See
cve-2025-21298-poc.rtfin this folder.
| |
Expected Output
- Outlook/Word instability or crash on vulnerable build while parsing the RTF
- Debug traces indicating OLE stream conversion path in ole32.dll
Screenshots / Evidence
screenshots/— add authorized crash/debug evidence for vulnerable and patched comparisons.
Detection & Indicators of Compromise
- Suspicious inbound RTF attachments/messages targeting Outlook clients
- Outlook/Word crash events tied to OLE stream processing in ole32.dll
- EDR detections for exploit-like memory-corruption behavior from Office processes
SIEM / IDS Rule (example):
Correlate inbound RTF email + near-time Outlook/Word crash telemetry
with stack/module references to ole32.dll OLE presentation stream parsing.
Remediation
| Action | Detail |
|---|---|
| Patch | Apply Microsoft’s January 2025 security update addressing CVE-2025-21298 |
| Workaround | Restrict/disable automatic RTF preview handling where operationally feasible |
| Config Hardening | Use Office Protected View, attachment detonation/sandboxing, and block risky attachment flows |
References
- CVE-2025-21298 — NVD
- Microsoft MSRC advisory
- CISA Known Exploited Vulnerabilities Catalog
- Source Repository — ynwarcs/CVE-2025-21298
Notes
Auto-ingested from https://github.com/ynwarcs/CVE-2025-21298 on 2026-05-16.
The upstream repository describes this as a memory-corruption PoC and not a full weaponized exploit.