- Microsoft issues emergency patch for Office zero-day CVE-2026-21509
- Vulnerability allows attackers to bypass OLE mitigations and execute malware
- CISA adds errors to the KEV catalog; details of exploitation remain undisclosed
Microsoft has issued an emergency patch to fix a serious Office vulnerability that is being exploited in the wild as a zero-day.
The flaw is described as a security bypass flaw: “Depending on untrusted input in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally,” the National Vulnerability Database (NVD) explains.
In other words, Office made security decisions based on information it shouldn’t fully trust, which was exploited by cybercriminals to execute malware, steal login credentials, and move laterally through the network.
How to repair and work around the error
The vulnerability was said to be actively exploited in the wild, and the US Cybersecurity and Infrastructure Security Agency (CISA) has already added it to its catalog of known exploited vulnerabilities (KEV).
However, Microsoft did not say who the threat actors are or who the victims were. We also don’t know the scale of the campaign or whether it has already resulted in meaningful data theft or possibly ransomware attacks.
The bug is tracked as CVE-2026-21509 and received a severity score of 7.8/10 (high).
“This update addresses a vulnerability that bypasses OLE restrictions in Microsoft 365 and Microsoft Office that protect users from vulnerable COM/OLE controls,” Microsoft said in a security advisory.
Users running Office 2021 and later need to do nothing but restart their Office applications as the patch is made server-side. Those running Office 2016 and 2019 should install these updates:
Microsoft Office 2019 (32-bit edition) – 16.0.10417.20095
Microsoft Office 2019 (64-bit edition) – 16.0.10417.20095
Microsoft Office 2016 (32-bit edition) – 16.0.5539.1001
Microsoft Office 2016 (64-bit edition) – 16.0.5539.1001
Those who cannot install the patches should make changes to the Windows registry as a workaround. Microsoft has provided a step-by-step guide which can be found at this link.
Via Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
