Microsoft Office Zero-Day – CVE-2026-21509

January 27, 2026 Faeem BLOGS 0

Microsoft has issued an emergency out-of-band patch for a high-severity zero-day vulnerability in Microsoft Office that is actively being exploited in the wild.

Vulnerability Details

  • CVE ID: CVE-2026-21509
  • CVSS Score: 7.8 (High)
  • Type: Security feature bypass
  • Root cause: Reliance on untrusted inputs in a security decision, allowing bypass of OLE mitigations in Microsoft 365 and Office.
  • Attack vector:
    • Requires a specially crafted Office file.
    • Victim must be tricked into opening the file.
    • Preview Pane is not affected.

Impact

  • Exploitation allows attackers to bypass protections against vulnerable COM/OLE controls.
  • Could lead to execution of malicious code or compromise of sensitive data.
  • Actively exploited in targeted attacks (details not disclosed by Microsoft).

Affected Versions & Patches

  • Office 2021 and later:
    • Protected automatically via service-side change.
    • Requires restart of Office applications.
  • Office 2019:
    • Update to 16.0.10417.20095 (32-bit and 64-bit).
  • Office 2016:
    • Update to 16.0.5539.1001 (32-bit and 64-bit).

Mitigation (Registry Workaround)

For environments unable to patch immediately:

  1. Backup the Registry.
  2. Exit all Office applications.
  3. Open Registry Editor.
  4. Navigate to the appropriate subkey:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\
    • Or corresponding WOW6432Node / ClickToRun paths depending on Office version.
  5. Add new subkey: {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}.
  6. Add new DWORD value: "Compatibility Flags" = 0x400.
  7. Restart Office applications.

Response & Enforcement

  • Microsoft credits: MSTIC, MSRC, and Office Product Group Security Team.
  • CISA action: Added CVE-2026-21509 to Known Exploited Vulnerabilities (KEV) catalog.
    • Federal agencies must patch by February 16, 2026.

Takeaway

This zero-day highlights the ongoing risk of Office-based attacks leveraging malicious documents. Organizations should patch immediately, apply registry mitigations if necessary, and reinforce user awareness against phishing and malicious attachments.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.