Microsoft issues emergency patch for Office zero-day CVE-2026-21509

by

Microsoft on Monday issued out-of-band security patches for a high severity Microsoft Office zero-day tracked as CVE-2026-21509 and rated 7.8 out of 10, in an advisory Microsoft said.

KEY FACTS

  • Incident A high severity Office vulnerability exploited in active attacks
  • CVE CVE-2026-21509, CVSS 7.8
  • Affected Office 2016, 2019 and later Office builds
  • Mitigation Service-side protection for newer builds and a registry workaround for older installs

The advisory describes the flaw as a security feature bypass that defeats OLE mitigations in Office and related apps. Successful exploitation requires a specially crafted Office file and user action to open it. The advisory specifies the Preview Pane is not an attack vector.

Customers running Office 2021 and later are covered by a service-side change that takes effect after restarting Office applications. Administrators of Office 2016 and 2019 must install specific updates with the following builds: 16.0.10417.20095 for Office 2019 32-bit and 64-bit, and 16.0.5539.1001 for Office 2016 32-bit and 64-bit.

The advisory also provides a mitigation that requires a Windows Registry change. Steps include backing up the Registry, exiting Office, adding a COM Compatibility subkey named {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} and creating a REG_DWORD called “Compatibility Flags” with a hexadecimal value of 400, then restarting Office.

Details about the scope and actors behind the active exploitation are not disclosed in the advisory. Discoverers listed in the advisory include the Threat Intelligence Center, the Security Response Center and the Office Product Group Security Team. The flaw appears in the U.S. Cybersecurity and Infrastructure Security Agency Known Exploited Vulnerabilities catalog with a remediation deadline for Federal Civilian Executive Branch agencies of February 16, 2026.

WHY IT MATTERS

The patch addresses an actively exploited bypass that can lead to code execution when a user opens a crafted Office file. Agencies and administrators should apply the updates or the registry mitigation to reduce exposure, and restart Office where service-side protection has been applied.