Microsoft on Monday issued out-of-band security patches for a high-severity Microsoft Office zero-day vulnerability exploited in attacks.
The vulnerability, tracked as CVE-2026-21509, carries a CVSS score of 7.8 out of 10.0. It has been described as a security feature bypass in Microsoft Office.
“Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally,” the tech giant said in an advisory.
“This update addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office, which protect users from vulnerable COM/OLE controls.”
Successful exploitation of the flaw relies on an attacker sending a specially crafted Office file and convincing recipients to open it. It also noted that the Preview Pane is not an attack vector.
The Windows maker said customers running Office 2021 and later will be automatically protected via a service-side change, but will be required to restart their Office applications for this to take effect. For those running Office 2016 and 2019, it’s required to install the following updates –
- Microsoft Office 2019 (32-bit edition) – 16.0.10417.20095
- Microsoft Office 2019 (64-bit edition) – 16.0.10417.20095
- Microsoft Office 2016 (32-bit edition) – 16.0.5539.1001
- Microsoft Office 2016 (64-bit edition) – 16.0.5539.1001
As mitigation, the company is urging that customers make a Windows Registry change by following the steps outlined below –
- Take a backup of the Registry
- Exit all Microsoft Office applications
- Start the Registry Editor
- Locate the proper registry subkey –
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftOffice16.0CommonCOM Compatibility for 64-bit MSI Office or 32-bit MSI Office on 32-bit Windows
- HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeMicrosoftOffice16.0CommonCOM Compatibility for 32-bit MSI Office on 64-bit Windows
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftOfficeClickToRunREGISTRYMACHINESoftwareMicrosoftOffice16.0CommonCOM Compatibility for 64-bit Click2Run Office or 32-bit Click2Run Office on 32-bit Windows
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftOfficeClickToRunREGISTRYMACHINESoftwareWOW6432NodeMicrosoftOffice16.0CommonCOM Compatibility for 32-bit Click2Run Office on 64-bit Windows
- Add a new subkey named {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} by right-clicking the COM Compatibility node and choosing Add Key.
- Within that subkey, add new value by right-clicking the new subkey and choosing New > DWORD (32-bit) Value
- Add a REG_DWORD hexadecimal value called ”Compatibility Flags” with a value of 400
- Exit Registry Editor and start the Office application
Microsoft has not shared any details about the nature and the scope of attacks exploiting CVE-2026-21509. It credited the Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), and Office Product Group Security Team for discovering the issue.
The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026.
