Out-of-band security patches for a high-severity Microsoft Office zero-day vulnerability that has been used in attacks were released by Microsoft on Monday. The vulnerability has a CVSS score of 7.8 out of 10.0 and is tracked as CVE-2026-21509. It has been referred to as a Microsoft Office security feature bypass.

"Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally," the tech giant stated in a warning. "This patch fixes a flaw that gets around Microsoft Office and 365's OLE mitigations, which shield users from weak COM/OLE controls. An attacker must send a specially created Office file and persuade recipients to open it in order to successfully exploit the vulnerability.

The Preview Pane is not an attack vector, it was also mentioned. Customers running Office 2021 and later will be automatically protected through a service-side change, according to the Windows manufacturer, but they will need to restart their Office programs for this to take effect.

Installing the following updates is necessary for users of Office 2016 and 2019: Microsoft Office 2019 (32-bit edition) 16.0.10417.20095 64-bit version of Microsoft Office 2019: 16.0.10417.20095 32-bit version of Microsoft Office 2016: 16.0.5539.1001 16.0.5539.1001 Microsoft Office 2016 (64-bit version) The business is advising clients to modify the Windows Registry by taking the actions listed below as a mitigating measure. Make a backup of the registry. Close all Microsoft Office programs.

Launch the Registry Editor Find the correct registry subkey, which is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office.HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\ for 64-bit MSI Office or 32-bit MSI Office on 32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office16.0 Common COM Compatibility for 64-bit Click2Run 32-bit or Office Click2Run Office on 32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Office16.0 Common COM Compatibility for 32-bit Click2Run Office HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility for 64-bit MSI Office or HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility for 32-bit MSI Office on 64-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office16.0 Common COM Compatibility for 64-bit Click2Run 32-bit or Office On 32-bit Windows, Click2Run Office HKEY_LOCAL_MACHINE\SOFTWAREWOW6432Node\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software16.0 Common COM Compatibility for 32-bit On 64-bit Windows, Click2Run Office Right-click the COM Compatibility node and select Add Key to add a new subkey called {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}.

Add a new value to that subkey by right-clicking it and selecting New > DWORD (32-bit). Value Include a 400 REG_DWORD hexadecimal value named "Compatibility Flags" Add a new value to that subkey by right-clicking it and selecting New > DWORD (32-bit). Value Start the Office program after adding a REG_DWORD hexadecimal value named "Compatibility Flags" with a value of 400.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\ for 64-bit MSI Office or 32-bit MSI Office on 32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\ for 32-bit MSI Office on 64-bit WindowsMicrosoft\Office\ClickToRun\Registration\Machine\Software\Microsoft\Office16.0 Common COM Compatibility for 64-bit Click2Run 32-bit or Office On 32-bit Windows, Click2Run Office HKEY_LOCAL_MACHINE\SOFTWAREWOW6432Node\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software16.0 Common COM Compatibility for 32-bit Click2Run Office on 64-bit Windows Within that subkey, add new value by right-clicking the new subkey and choosing New > DWORD (32-bit) Value Add a REG_DWORD hexadecimal value called "Compatibility Flags" with a value of 400 The development has prompted the U.S.

The vulnerability will be added to the Known Exploited Vulnerabilities (KEV) catalog by the Cybersecurity and Infrastructure Security Agency (CISA), and Federal Civilian Executive Branch (FCEB) agencies must apply the patches by February 16, 2026.