Microsoft released out-of-band security updates to address an actively exploited Office zero-day vulnerability tracked as CVE-2026-21509 that bypasses OLE security protections and affects multiple Office versions. Exploitation requires convincing a user to open a malicious Office file, and mitigations include a service-side fix for Office 2021 and later plus registry-based or forthcoming updates for Office 2016 and 2019. #CVE-2026-21509 #MicrosoftOffice
Keypoints
- The vulnerability CVE-2026-21509 is an actively exploited security feature bypass in Microsoft Office.
- Multiple versions are affected, including Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps for Enterprise.
- The flaw bypasses OLE/COM protections and exposes vulnerable COM/OLE controls.
- An attacker must send a malicious Office file and trick a user into opening it to achieve exploitation.
- Office 2021 and later receive a service-side fix after restart; Office 2016/2019 require a security update or a registry change to block vulnerable controls.