Bright Nexus

Published on January 26, 2026

Microsoft Patches Actively Exploited Office Zero-Day Vulnerability

Severity

High

Detail

Microsoft has released emergency out-of-band security updates to address a high-severity zero-day vulnerability in Microsoft Office that is actively being exploited in the wild. Tracked as CVE-2026-21509, the vulnerability is classified as a security feature bypass vulnerability and affects multiple Microsoft Office versions.

CVE Number Description CVSS Score (Severity)
CVE-2026-21509Allows a local, unauthenticated attacker to bypass Microsoft Office security features by abusing untrusted inputs during security decision-making.7.8 (High)

Successful exploitation requires user interaction, specifically convincing a user to open a malicious Office document. Microsoft clarified that the Preview Pane is not an attack vector. However, exploitation remains feasible through low-complexity attack methods when users manually open crafted files.

“This update addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office, which are designed to protect users from vulnerable COM/OLE controls.

By bypassing OLE security mitigations, attackers may be able to leverage malicious COM/OLE components embedded within Office documents, increasing the risk of follow-on payload execution or further compromise. Given active exploitation, this vulnerability poses a significant risk, particularly in environments where Office documents are commonly exchanged via email.

Affected Version

  • Microsoft Office 2016 & 2019
  • Microsoft Office LTSC 2021 & 2024
  • Microsoft 365 Apps for Enterprise 

Recommendation

  • Apply Microsoft’s out-of-band updates immediately where available.
  • Implement the registry-based mitigation for Office 2016 and 2019 systems.
  • Reinforce user awareness around opening unsolicited or unexpected Office documents.
  • Monitor endpoints for suspicious Office process behavior and COM/OLE abuse.

Customers using Office 2021 and later are automatically protected through a service-side update. However, users must restart their Office applications for the protection to take effect.

For organizations using Office 2016 and 2019, where patches are not yet available, Microsoft has published mitigation guidance intended to reduce exploitation risk. The mitigation steps are clarified in https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509.

Source

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509

https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-actively-exploited-office-zero-day-vulnerability