On January 26, 2026, Microsoft released emergency out-of-band security updates to fix CVE-2026-21509, a zero-day security feature bypass vulnerability in Microsoft Office that hackers are actively taking advantage of This article explores vulnerability microsoft. . The vulnerability, which has a CVSS v3.1 base score of 7.8 and is rated "Important," uses untrusted inputs in security decisions to get around OLE mitigations that guard against weak COM/OLE controls.

Learn more about Windows security software Software that prevents cyberattacks Security of computers Defender from Microsoft Software for endpoint detection and response Feeds of threat intelligence Taking advantage of Malware elimination service Security software for macOS After deceiving users into opening malicious files through phishing or social engineering, ethical hacking tools CVE-2026-21509 allow local attackers to get around Office protections. The attack vector has significant effects on confidentiality, integrity, and availability (C:H/I:H/A:H), but it requires little complexity, no privileges, and user interaction.

After Patch Tuesday's updates, Microsoft Threat Intelligence Center (MSTIC) verified exploitation detection, making it the second actively exploited zero-day patched this month. Products Affected Patches for the bug, which affects both current and legacy Office editions, were released on January 26, 2026. Architecture of Products KB Article Build Office 2016 64-bit 5002713 16.0.5539.1001 Office 2016 32-bit 5002713 16.0.5539.1001 Office LTSC 2024 64/32-bit N/A The most recent Office LTSC 2021 64/32-bit N/A Current Office 2019 64/32-bit N/A 16.0.10417.20095 Current M365 Apps Enterprise 64/32-bit N/A Check builds by going to File > Account > About.

Users of Office 2021+ get automatic service-side protection after restarting; users of Office 2016 and 2019 need to update or adjust their registry. Under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}, add DWORD "Compatibility Flags" (value 400) (adjust paths for arch/Click-to-Run). Restart apps after making changes, and backup the registry first.

Patching should be given top priority, auto-updates should be enabled, and phishing IOCs such as dubious Office attachments should be closely watched. Threat actors use EDR for COM/OLE anomalies and prefer this vector for ransomware/APT initial access. Watch CISA KEV, LinkedIn, and X for daily cybersecurity updates.

No public PoCs or actors have been identified yet. To have your stories featured, get in touch with us.