MICROSOFT issued emergency out-of-band security updates to fix an actively exploited Office zero‑day tracked as CVE-2026-21509, affecting Office 2016–2024 and Microsoft 365 Apps for Enterprise. The vulnerability is a security feature bypass that can allow an unauthorised attacker to bypass a security feature locally, with exploitation requiring the user to open a malicious Office file.
The advisory notes that the attacker must persuade a user to open the file, and specifies that the issue exploits untrusted inputs in a security decision within Microsoft Office. The fix addresses a flaw that bypasses OLE security protections in Office, exposing vulnerable COM/OLE controls, while the Office Preview Pane is not affected and is not considered an attack vector.
Microsoft says updates will be released as soon as possible for Office 2016 and 2019; Office 2021 and later are protected automatically through a service‑side fix after restarting apps. For those on older releases, mitigations include installing the upcoming security update or manually applying a registry change to block vulnerable COM/OLE controls, with a reminder to back up the registry and restart Office for protections to take effect.