MICROSOFT has rolled out an urgent security update for Office to fix CVE-2026-21509, a zero-day vulnerability exploited in the wild that stands at a CVSS of 7.8 and targets how Office handles OLE controls. The flaw, classified as a Security Feature Bypass, can be triggered by feeding the system crafted data that reduces its guard, with exploitation requiring a user to open a malicious Office file due to its UI:R rating.
Microsoft released the fix on 26 January 2026, and users should ensure they are on Build 16.0.10417.20095 or later, verifiable via File > Account > About in any Office app, according to MSRC.
For organisations unable to patch immediately, a manual registry workaround exists to disable the vulnerable functionality by adding a key under COM Compatibility; the steps specify navigating to HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Office\\16.0\\Common\\COM Compatibility\\ and creating a subkey with a Compatibility Flags value of 400. The update covers Microsoft Office 2016 and 2019, and the article notes that the Preview Pane is safe and that the attack is not a drive-by scenario.