Microsoft Office Zero-Day CVE-2026-21509 Actively Exploited

Microsoft has released emergency out-of-band security updates to fix a dangerous zero-day vulnerability in Microsoft Office that is being actively exploited in real-world attacks. The flaw, tracked as CVE-2026-21509, allows attackers to bypass critical security protections and puts millions of Office users at risk.

The vulnerability has been assigned a CVSS score of 7.8, marking it as high severity. According to Microsoft, the issue affects Microsoft Office and Microsoft 365, specifically bypassing protections designed to block unsafe COM and OLE components.

Because this is a zero-day vulnerability, attackers were exploiting it before a patch was available, making fast action critical for organizations and individual users.

CVE-2026-21509 is classified as a security feature bypass vulnerability in Microsoft Office. In simple terms, it allows attackers to trick Office into trusting unsafe inputs, weakening built-in protections.

Microsoft explained the issue in its advisory:

“Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.”

More specifically, the flaw bypasses OLE (Object Linking and Embedding) mitigations, which are meant to protect users from malicious COM and OLE controls embedded in Office documents.

Once these safeguards are bypassed, attackers may be able to execute malicious code or load unsafe components when a victim opens a crafted Office file.

To successfully exploit CVE-2026-21509, an attacker must:

1. Create a specially crafted Microsoft Office document

2. Deliver it to the victim via email, phishing, or other social engineering

3. Convince the victim to open the file manually

Microsoft confirmed that the Preview Pane is not affected, meaning the attack does not trigger just by viewing the file preview in File Explorer or Outlook. However, opening the document fully is enough to activate the exploit.

This makes the vulnerability especially dangerous in phishing campaigns, where users are often tricked into opening documents that appear legitimate.

The impact of this vulnerability depends on the Office version being used:

Users running Microsoft Office 2021 and later versions, including Microsoft 365, are protected through a service-side security change. However, Microsoft warns that users must restart their Office applications for the protection to fully apply.

Users running older Office versions must manually install updates to stay protected.

Affected versions and required update builds include:

• Microsoft Office 2019 (32-bit) – Version 16.0.10417.20095

• Microsoft Office 2019 (64-bit) – Version 16.0.10417.20095

• Microsoft Office 2016 (32-bit) – Version 16.0.5539.1001

• Microsoft Office 2016 (64-bit) – Version 16.0.5539.1001

Failing to install these updates leaves systems vulnerable to active exploitation.

For organizations unable to apply patches immediately, Microsoft has shared a registry-based mitigation to reduce risk. This workaround disables a vulnerable COM control by adding a compatibility block.

• Back up the Windows Registry

• Close all Microsoft Office applications

• Open the Registry Editor

• Navigate to the correct COM Compatibility registry path based on your Office installation

• Create a new registry key with a specific CLSID

• Add a DWORD value named Compatibility Flags and set it to 400 (hexadecimal)

• Restart Office applications

This mitigation helps block the vulnerable control, reducing exposure until patches can be deployed. However, Microsoft strongly recommends installing official updates as the permanent fix.