MICROSOFT on Monday issued out-of-band security patches for a high-severity Microsoft Office zero-day vulnerability exploited in attacks, tracked as CVE-2026-21509 with a CVSS of 7.8.
The vulnerability is described as a security feature bypass in Microsoft Office, allowing an unauthorised attacker to bypass a security feature locally by relying on untrusted inputs in a security decision, with exploitation by sending a specially crafted Office file and convincing recipients to open it; the Preview Pane is not an attack vector.
The Windows maker said customers running Office 2021 and later will be automatically protected via a service-side change, but a restart of Office applications is required to take effect; for Office 2016 and 2019, users must install the specific updates listed in the advisory. As mitigations, Microsoft also provides a Windows Registry change procedure, including backing up the registry and adding a new key under COM Compatibility with a REG_DWORD value of 400.
The vulnerability has prompted the CISA to add it to its Known Exploited Vulnerabilities catalog, with Federal Civilian Executive Branch agencies asked to apply patches by 16 February 2026, and the advisory notes that Microsoft respected MSTIC, MSRC, and the Office Product Group Security Team for discovery.