Microsoft has released an out-of-band security update to fix an actively exploited zero-day vulnerability in Microsoft Office, tracked as CVE-2026-21509. The flaw allows attackers to bypass built-in security protections and potentially gain high-impact access when a user opens a malicious Office file.
The company confirmed that exploitation has already been detected in the wild, prompting immediate remediation guidance for both consumer and enterprise environments.
How CVE-2026-21509 Impacts Microsoft Office Users
CVE-2026-21509 is classified as a Security Feature Bypass vulnerability caused by reliance on untrusted input during security decisions inside Microsoft Office. An attacker can abuse this weakness to bypass protections designed to block risky COM and OLE components.
Key risk details:
- Severity: Important
- CVSS Score: 7.8
- Attack Vector: Local
- User Interaction: Required (victim must open a malicious Office file)
- Impact: High confidentiality, integrity, and availability risk
- Preview Pane: Not an attack vector
Microsoft confirms that attackers must convince a victim to open a specially crafted Office document for exploitation to succeed.
Active Exploitation Confirmed by Microsoft and CISA
Microsoft’s security advisory marks the vulnerability as Exploitation Detected, even though it has not been publicly disclosed.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added CVE-2026-21509 to its Known Exploited Vulnerabilities (KEV) Catalog, signaling elevated risk across government and enterprise networks. Federal agencies must apply remediation by February 16, 2026, and CISA strongly urges all organizations to patch immediately.
Which Office Versions Are Affected
The vulnerability impacts a wide range of Office products, including:
- Microsoft 365 Apps for Enterprise
- Office 2021
- Office LTSC 2021 and LTSC 2024
- Office 2019
- Office 2016
Microsoft released security updates for supported versions on January 26, 2026.
Automatic Protection for Office 2021 and Newer
If you run Office 2021 or later, Microsoft applies protection automatically through a service-side change. However, users must restart all Office applications for the protection to activate. No manual update is required if automatic updates are enabled.
Manual Update Required for Office 2016 and 2019
Users running Office 2016 or Office 2019 must install the security update manually to remain protected.
Microsoft confirms that updated builds are now available:
- Office 2019 (32-bit / 64-bit): Build 16.0.10417.20095
- Office 2016 (32-bit / 64-bit): Build 16.0.5539.1001
To verify your installed build:
- Open any Office app.
- Click File → Account → About.
- Check the build number displayed at the top.
If your version does not match the patched build, install updates immediately using Windows Update or Office’s built-in updater.
Immediate Mitigation: Registry Protection for Office 2016 and 2019
If you cannot install the update immediately, Microsoft recommends applying a temporary registry mitigation to block exploitation.
Important: Incorrect registry changes can cause system issues. Back up your registry before making changes.
Step-by-Step Registry Mitigation
- Close all Office applications.
- Press Windows Key, type regedit, and open Registry Editor.
- Navigate to the appropriate key based on your Office installation:
- 64-bit MSI Office or 32-bit MSI on 32-bit Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\- 32-bit MSI Office on 64-bit Windows
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\- 64-bit Click-to-Run Office or 32-bit Click-to-Run on 32-bit Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\16.0\Common\COM Compatibility\- 32-bit Click-to-Run Office on 64-bit Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\- If COM Compatibility does not exist, create it manually.
- Create a new subkey named:
{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}- Inside the new key, create a DWORD (32-bit) Value named:
Compatibility Flags- Set its hexadecimal value to:
400- Close Registry Editor and restart your Office apps.
This mitigation blocks the vulnerable COM behavior until the official update is installed.
Why This Vulnerability Is Dangerous
This flaw bypasses OLE mitigation controls that normally protect users from unsafe COM components inside Office documents. Attackers can embed malicious logic inside files that appear legitimate and trigger the exploit when opened.
Because exploitation requires user interaction, phishing campaigns and malicious email attachments remain the most likely delivery methods.
What Organizations Should Do Now
Security teams should take immediate action:
- Install the January 26, 2026 Office security updates.
- Restart Office apps to activate service-side protection.
- Apply the registry mitigation if patching is delayed.
- Educate users to avoid opening unknown Office attachments.
- Monitor endpoint activity for suspicious Office file behavior.
Microsoft credits the Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), and the Office Product Security Team for identifying the issue.
FAQs
What is Microsoft Office zero-day CVE-2026-21509?
CVE-2026-21509 is a security feature bypass vulnerability that allows attackers to bypass built-in Office protections when a user opens a malicious document. The flaw abuses untrusted input handling inside Office and impacts multiple supported versions.
Is CVE-2026-21509 actively exploited in real-world attacks?
Yes. Microsoft has confirmed exploitation in the wild, and CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog, indicating elevated risk and urgent remediation requirements.
Which Microsoft Office versions are affected by CVE-2026-21509?
The vulnerability affects Microsoft 365 Apps, Office 2021, Office LTSC 2021 and 2024, Office 2019, and Office 2016. Microsoft released security updates for supported versions on January 26, 2026.
Do Office 2021 and newer versions require manual patching?
No. Office 2021 and later receive protection automatically through a service-side change, but users must restart Office applications for the protection to activate.
What should Office 2016 and Office 2019 users do immediately?
Users should install the latest security updates as soon as possible. If patching cannot be completed immediately, Microsoft recommends applying the temporary registry mitigation to reduce exposure.
How does the registry mitigation protect against exploitation?
The registry change blocks vulnerable COM behavior that attackers use to bypass OLE security controls. This reduces the risk until the official patch is fully deployed.
Can attackers exploit CVE-2026-21509 through the Preview Pane?
No. Microsoft confirms that the Preview Pane does not trigger the vulnerability. A user must actively open a malicious Office file for exploitation to occur.
How severe is Microsoft Office zero-day CVE-2026-21509?
The vulnerability carries a CVSS score of 7.8 and is rated Important, with potential impact on system confidentiality, integrity, and availability.
How can users verify whether their Office installation is patched?
Open any Office application, go to File → Account → About, and confirm the displayed build number matches the latest security release.
Why did CISA add CVE-2026-21509 to the KEV catalog?
CISA adds vulnerabilities when there is confirmed evidence of active exploitation. Inclusion signals that organizations should prioritize immediate remediation.
What is the most common attack method for this vulnerability?
Attackers typically deliver malicious Office documents through phishing emails or unsafe downloads, relying on user interaction to trigger exploitation.
Should organizations accelerate upgrades after this incident?
Yes. Organizations running older Office versions should consider upgrading to supported releases to maintain long-term security coverage and faster patch availability.
If you manage enterprise Office deployments, prioritize rollout validation and endpoint restarts across all affected systems today.
