Microsoft has issued an urgent out-of-band security update in response to an actively exploited zero-day vulnerability in Microsoft Office that circumvents certain critical security safeguards.
The vulnerability, which has been designated CVE-2026-21509, was classified as “Important” and has a CVSS (Common Vulnerability Scoring System) rating of 7.8.
The flaw occurs because Microsoft Office relies too heavily on a potentially unreliable input to make security-related decisions.
Because this vulnerability exists at a level above the Object Linking and Embedding (OLE) mitigation, Microsoft said attackers may bypass controls designed to protect users from potentially hazardous Component Object Model (COM) and OLE content that is embedded within Office file formats.
Successful exploitation requires social engineering, with attackers sending a malicious document and convincing a user to open it. However, Microsoft confirmed that the Preview Pane cannot be used to trigger the exploit.
Enterprise impact and remediation guidance
CVE-2026-21509 has impacted numerous Office product offerings, including Microsoft Office 2016, Microsoft Office 2019, Office LTSC (Long Term Servicing Channel) 2021 and 2024, and Microsoft 365 Apps for Enterprise.
Microsoft reported that customers utilizing Office 2021 and later versions were automatically protected through a service-side modification, though users must restart Office applications for the protection to take effect.
For organizations currently utilizing Office 2016 or Office 2019, the tech giant indicated that version-specific patches must be installed or temporarily applied registry-based mitigations must be applied in order to minimize the threat of exploitation associated with CVE-2026-21509. These mitigations should be viewed as an interim solution until proper patches are available.
Microsoft has not shared details about the observed attacks. However, the necessity for user interaction to successfully exploit CVE-2026-21509 and the nature of the bypass used to exploit this vulnerability would suggest targeted attacks as opposed to widespread or opportunistic attacks.
In addition, this type of behavior has been consistent with Office exploitation trends over the last few years, where attackers seek to utilize reliable and low-profile methods to obtain an initial foothold into a target environment.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-21509 to the list of Known Exploited Vulnerabilities (KEV), and has established a remediation deadline of Feb. 16, 2026, for federal civilian agencies.
