Microsoft has released urgent security patches to address a high-severity zero-day vulnerability in Microsoft Office, tracked as CVE-2026-21509. This critical flaw, described as a security feature bypass within Microsoft Office, has a CVSS score of 7.8 out of 10.0 and has already been exploited in active attacks. The company’s out-of-band update aims to protect users from this actively exploited threat.
The vulnerability allows an unauthorized attacker to bypass a security feature by leveraging untrusted inputs in a security decision within Microsoft Office. According to Microsoft, this flaw bypasses Object Linking and Embedding (OLE) mitigations designed to protect users from vulnerable COM/OLE controls. Exploitation typically requires an attacker to trick a user into opening a specially crafted Office file, though the Preview Pane is reportedly not an attack vector.
Microsoft Office Zero-Day Exploited in the Wild
Microsoft Office is a primary target for cybersecurity threats due to its widespread use across personal and professional environments. The discovery and exploitation of CVE-2026-21509 highlight the persistent risks associated with complex software suites. The tech giant’s swift action in releasing out-of-band patches underscores the severity of this particular zero-day vulnerability.
Customers utilizing Office 2021 and later versions will receive protection automatically through a service-side update. However, these users will need to restart their Office applications for the changes to take effect. For those running older versions, specifically Office 2016 and Office 2019, manual installation of specific updates is required. These include build 16.0.10417.20095 for Office 2019 (both 32-bit and 64-bit editions) and build 16.0.5539.1001 for Office 2016 (both 32-bit and 64-bit editions).
Mitigation Steps for Users
In addition to applying the provided updates, Microsoft is recommending a manual Windows Registry modification as a mitigation measure. This process involves backing up the registry, exiting all Office applications, and then carefully navigating to and modifying specific registry subkeys. The exact path for modification depends on the Office installation type (MSI or Click2Run) and the Windows architecture (32-bit or 64-bit).
The registry change requires creating a new subkey named “{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}” under the relevant “COM Compatibility” node. Within this new subkey, users must create a DWORD (32-bit) Value named “Compatibility Flags” and set its hexadecimal value to “400”. This registry tweak is designed to enforce compatibility settings that help prevent the exploitation of the identified vulnerability.
Microsoft has not disclosed specific details regarding the scope and nature of the attacks that have leveraged CVE-2026-21509. The discovery of this zero-day vulnerability is credited to the collaborative efforts of the Microsoft Threat Intelligence Center (MSTIC), the Microsoft Security Response Center (MSRC), and the Office Product Group Security Team.
Following Microsoft’s advisory, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this flaw to its Known Exploited Vulnerabilities (KEV) catalog. This inclusion mandates that Federal Civilian Executive Branch (FCEB) agencies must implement the necessary patches by February 16, 2026, to address the security risk posed by this exploited Microsoft Office vulnerability.