Microsoft has issued an emergency Office patch after confirming a zero-day flaw is already being used in real world attacks.
The flaw, tracked as CVE-2026-21509, and slapped with a CVSS score of 7.8, falls into Microsoft’s “security feature bypass” bucket. In practice, this means attackers can dodge protections that are supposed to stop unsafe legacy components from running. Those components include COM and OLE – old Windows plumbing that’s been at the heart of document-based attacks for years and clearly hasn’t earned its retirement yet.
According to Microsoft, exploitation doesn’t hinge on the Office preview pane – often a red flag in past campaigns – but still requires little effort once a victim is persuaded to open a booby-trapped file. In its advisory, the company describes the issue as a case of “reliance on untrusted inputs in a security decision,” a polite way of saying Office can be talked into doing things it shouldn’t.
“Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally,” Microsoft said. “An attacker must send a user a malicious Office file and convince them to open it.”
The flaw hits most current Office builds, from Office 2016 and 2019 through to the LTSC releases and Microsoft 365 Apps for Enterprise. Updates are out for newer versions, but anyone still running Office 2016 or 2019 is stuck waiting. Microsoft says fixes for those editions aren’t ready yet and will ship “as soon as possible.”
In the meantime, Redmond is pointing affected customers toward mitigation steps that it says can reduce exploitation risk. Those involve manually blocking vulnerable COM and OLE controls via the Windows registry by adding a specific COM Compatibility key and setting a Compatibility Flags DWORD value. It’s the sort of workaround that many organizations will struggle to deploy consistently at scale.
Microsoft has been tight-lipped about how CVE-2026-21509 is being abused, offering no details on attack campaigns, victim profiles, or impact. The company credited its own Microsoft Threat Intelligence Center, Microsoft Security Response Center, and Office Product Group Security Team with discovering the issue.
The US Cybersecurity and Infrastructure Security Agency has been quick to add the flaw to its Known Exploited Vulnerabilities catalog, giving Federal Civilian Executive Branch agencies until February 16 to apply available fixes.
The patch comes only days after Microsoft sounded the alarm about CVE-2026-20805, a separate Windows bug already under attack, giving 2026 an uncomfortably familiar feel. ®