Microsoft Office Zero-Day CVE-2026-21509 – Emergency Patch Released Amid Active Exploitation

/ Daily Cyber News, Threat, Vulnerabilities, Zero-Day

Microsoft has released emergency security updates for a critical Microsoft Office zero-day vulnerability that has been actively exploited by attackers.

The flaw, identified as CVE-2026-21509 with a CVSS score of 7.8, is a security feature bypass within Microsoft Office. According to Microsoft, “Reliance on untrusted inputs in a security decision allows unauthorized attackers to bypass a local security feature in Office.”

This vulnerability specifically circumvents OLE mitigations in Microsoft 365 and Office, which are designed to protect users from vulnerable COM/OLE controls. Successful exploitation requires attackers to send specially crafted Office files and convince recipients to open them. Microsoft noted that the Preview Pane is not a potential attack vector.

For Office 2021 and later, users will be automatically protected through a server-side update, but applications must be restarted to apply the fix. Users running Office 2016 and 2019 need to install the following updates:

  • Microsoft Office 2019 (32-bit) – 16.0.10417.20095
  • Microsoft Office 2019 (64-bit) – 16.0.10417.20095
  • Microsoft Office 2016 (32-bit) – 16.0.5539.1001
  • Microsoft Office 2016 (64-bit) – 16.0.5539.1001

As an additional mitigation, Microsoft recommends a Windows Registry modification:

  1. Back up the Windows Registry and exit all Office applications
  2. Open the Registry Editor
  3. Navigate to the appropriate subkey based on Office version and architecture (e.g., HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility for MSI Office)
  4. Add a new subkey named {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} under the COM Compatibility node
  5. Within the new subkey, create a DWORD (32-bit) value called "Compatibility Flags" and set it to 400
  6. Exit Registry Editor and restart the Office application

Microsoft has not provided specific details about the attacks exploiting this vulnerability. The discovery is credited to the Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), and the Office Product Group Security Team.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-21509 to its Known Exploited Vulnerabilities (KEV) catalog, instructing Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026.



Found this article interesting? Follow us on  X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.

Related Posts