Microsoft on Monday released an out‑of‑band security update to address a high‑severity Microsoft Office zero‑day vulnerability that attackers have been actively exploiting. The flaw, identified as CVE‑2026‑21509, has a CVSS score of 7.8 and is categorized as a security feature bypass affecting Microsoft Office. According to Microsoft, the issue stems from “reliance on untrusted inputs in a security decision,” enabling a local attacker to circumvent a critical Office security mechanism.
The company explained that the patch specifically resolves a weakness that allows threat actors to bypass existing OLE (Object Linking and Embedding) protections built into Microsoft Office and Microsoft 365 applications. These mitigations normally block unsafe COM/OLE components from being loaded.
Successful exploitation requires an attacker to send a maliciously crafted Office document and persuade the target to open it. Microsoft confirmed that the Preview Pane cannot be used to trigger the vulnerability.
Supported Versions and Required Updates
Microsoft stated that Office 2021 and later versions will receive protection automatically through a service‑side update, though users must restart their Office applications for the changes to apply.
Users on Office 2016 and Office 2019 must manually install the corresponding updates:
- Office 2019 (32‑bit) — Version 16.0.10417.20095
- Office 2019 (64‑bit) — Version 16.0.10417.20095
- Office 2016 (32‑bit) — Version 16.0.5539.1001
- Office 2016 (64‑bit) — Version 16.0.5539.1001
Temporary Mitigation Guidance
As an interim measure, Microsoft is instructing organizations and users to apply a Windows Registry‑based workaround. The steps include:
- Back up the Windows Registry.
- Close all Microsoft Office programs.
- Launch the Registry Editor.
- Navigate to the appropriate registry path, depending on Windows and Office installation type:
64‑bit MSI Office or 32‑bit MSI Office on 32‑bit Windows:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\
32‑bit MSI Office on 64‑bit Windows:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\
64‑bit Click‑to‑Run Office or 32‑bit Click‑to‑Run Office on 32‑bit Windows:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\16.0\Common\COM Compatibility\
32‑bit Click‑to‑Run Office on 64‑bit Windows:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\ - Create a new subkey named:
{EAB22AC3‑30C1‑11CF‑A7EB‑0000C05BAE0B} - Inside that subkey, create a DWORD (32‑bit) entry named Compatibility Flags with a hexadecimal value of 400.
- Exit the Registry Editor and reopen any Office application.
Additional Details and Government Response
Microsoft has not disclosed specific information regarding the scale, techniques, or threat actors involved in exploiting CVE‑2026‑21509. It credited the Microsoft Threat Intelligence Center (MSTIC), the Microsoft Security Response Center (MSRC), and the Office Product Group Security Team for identifying the vulnerability. Following Microsoft's advisory, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating that Federal Civilian Executive Branch (FCEB) agencies apply the patches no later than February 16, 2026.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
