MICROSOFT has issued an emergency patch for a high-severity zero-day in Office that allows attackers to bypass document security checks and is being exploited in the wild via malicious files. The vulnerability, tracked as CVE-2026-21509, is classified as a Microsoft Office Security Feature Bypass Vulnerability with a CVSS score of 7.8 out of 10.
It enables attackers to bypass Object Linking and Embedding (OLE) mitigations designed to block unsafe COM/OLE controls inside Office documents, meaning a malicious attachment could infect a PC despite built‑in protections. In real‑world terms, an attacker could craft a fake Word, Excel, or PowerPoint file containing hidden mini‑programs that run code on the affected computer, circumventing normal safety checks.
The bypass works by tweaking the file’s structure and hidden information so Office believes the dangerous mini‑program is harmless, allowing the code to execute. The article notes that code to test the bypass is publicly available, and urges users to apply the patch; affected products include Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps, with updates required depending on the version.