- Microsoft issues emergency patch for Office zero-day CVE-2026-21509
- Vulnerability allows attackers to bypass OLE mitigations and execute malware
- CISA adds flaw to KEV catalog; exploitation details remain undisclosed
Microsoft has issued an emergency patch to fix a high-severity Office vulnerability that is being exploited in the wild as a zero-day.
The bug is described as a security bypass flaw: “Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally,” the National Vulnerability Database (NVD) explains.
In other words, Office was making security decisions based on information it shouldn’t fully trust, and that was exploited by cybercriminals to execute malware, steal login credentials, and move laterally through the network.
How to patch and work around the bug
It was said that the vulnerability is being actively exploited in the wild, and the US Cybersecurity and Infrastructure Security Agency (CISA) already added it to its Known Exploited Vulnerabilities (KEV) catalog.
However, Microsoft did not say who the threat actors are, or who the victims were. We also don’t know what the scope of the campaign is, or if it already resulted in meaningful data theft, or possibly ransomware attacks.
The bug is tracked as CVE-2026-21509 and was given a severity score of 7.8/10 (high).
“This update addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office, which protect users from vulnerable COM/OLE controls,” Microsoft said in a security advisory.
Users running Office 2021 and later don’t have to do anything aside from restarting their Office applications, since the patch will be made server-side. Those running Office 2016 and 2019, will need to install these updates:
Microsoft Office 2019 (32-bit edition) – 16.0.10417.20095
Microsoft Office 2019 (64-bit edition) – 16.0.10417.20095
Microsoft Office 2016 (32-bit edition) – 16.0.5539.1001
Microsoft Office 2016 (64-bit edition) – 16.0.5539.1001
Those that cannot install the patches should make changes in Windows Registry, as mitigation. Microsoft has provided a step-by-step guide which can be found on this link.
Via The Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
