Microsoft has released an out-of-band security update to address CVE-2026-21509, a critical zero-day vulnerability in Microsoft Office that's being actively exploited in the wild. The vulnerability allows attackers to bypass Office security protections and requires immediate patching.
Microsoft has released an emergency out-of-band security update to address a critical zero-day vulnerability in Microsoft Office that is being actively exploited in the wild. The vulnerability, tracked as CVE-2026-21509, is classified as a security feature bypass that could allow attackers to circumvent Office's built-in security protections.
The vulnerability stems from "reliance on untrusted inputs in a security decision in Microsoft Office," according to the Microsoft Security Response Center. Successful exploitation enables attackers to locally bypass Office security protections, specifically OLE (Object Linking and Embedding) mitigations designed to block vulnerable COM (Component Object Model) and OLE controls.
Microsoft has assigned the flaw a CVSS v3.1 score of 7.8, indicating a high-severity vulnerability. The company confirmed that the vulnerability is being exploited in active attacks, though specific technical details about the attacks have not been disclosed.
Attack Requirements and Scope
To successfully exploit this vulnerability, attackers must convince victims to open a specially crafted Office file. Microsoft has clarified that the Preview Pane is not an attack vector, meaning simply viewing a malicious document in preview mode is not sufficient for exploitation.
The vulnerability affects multiple versions of Microsoft Office, with different protection mechanisms in place:
- Office 2021 and newer: Automatically protected through a service-side change, though users must restart their Office applications for the mitigation to take effect
- Office 2016 and Office 2019: Not protected until the latest security updates are installed
- All affected versions: Can apply a registry-based workaround immediately to block exploitation prior to patching
Impact on Federal Agencies
The vulnerability has been added to the Known Exploited Vulnerabilities catalog maintained by the Cybersecurity and Infrastructure Security Agency (CISA). U.S. federal agencies are required to apply the updates by February 16, 2026, highlighting the severity and active exploitation of this vulnerability.
Context of Recent Windows Updates
This emergency patch comes during an already turbulent January 2026 update cycle for Microsoft products. Earlier this month, the Windows 11 security update KB5074109 was linked to widespread stability issues and reports of UNMOUNTABLE_BOOT_VOLUME boot failures on some systems. These concurrent issues underscore the increasingly fragile state of recent Windows and Office updates.
Protection Recommendations
Microsoft strongly recommends that all affected users install the latest security updates immediately. For organizations unable to patch immediately, the registry-based workaround provides a temporary mitigation option. Users should also exercise caution when opening Office documents from untrusted sources, as user interaction is required for successful exploitation.
The out-of-band nature of this patch indicates the severity of the threat and Microsoft's prioritization of addressing actively exploited vulnerabilities. Organizations should treat this update as critical and implement it as soon as possible to protect against potential attacks.
Comments
Please log in or register to join the discussion