Microsoft Releases Emergency Patch for Actively Exploited Office Zero-Day Vulnerability
On January 27, 2026, Microsoft issued an out-of-band security update to address a critical zero-day vulnerability in Microsoft Office, identified as CVE-2026-21509. This flaw, with a CVSS score of 7.8, allows attackers to bypass security features by exploiting untrusted inputs within Office applications.
The vulnerability enables unauthorized attackers to circumvent security measures designed to protect users from malicious COM/OLE controls. Exploitation requires an attacker to send a specially crafted Office file and persuade the recipient to open it. Notably, the Preview Pane is not an attack vector in this scenario.
For users of Office 2021 and later versions, Microsoft has implemented a service-side change that automatically protects against this vulnerability. However, users must restart their Office applications for the update to take effect. Those using Office 2016 and 2019 need to install specific updates:
– Microsoft Office 2019 (32-bit edition): Version 16.0.10417.20095
– Microsoft Office 2019 (64-bit edition): Version 16.0.10417.20095
– Microsoft Office 2016 (32-bit edition): Version 16.0.5539.1001
– Microsoft Office 2016 (64-bit edition): Version 16.0.5539.1001
As an additional precaution, Microsoft recommends modifying the Windows Registry:
1. Back up the Registry.
2. Close all Microsoft Office applications.
3. Open the Registry Editor.
4. Navigate to the appropriate registry subkey based on your Office installation.
5. Add a new subkey named `{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}`.
6. Within this subkey, create a new DWORD (32-bit) Value named Compatibility Flags and set its value to `400`.
7. Close the Registry Editor and restart the Office application.
Microsoft has not disclosed specific details about the attacks exploiting CVE-2026-21509 but credits its Threat Intelligence Center (MSTIC), Security Response Center (MSRC), and Office Product Group Security Team for identifying the issue.
In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating that Federal Civilian Executive Branch (FCEB) agencies apply the patches by February 16, 2026.
