Urgent Alert: Microsoft Issues Emergency Patch for Actively Exploited Office Zero-Day Flaw (CVE-2026-21509)

Microsoft has moved swiftly to address a critical security threat, issuing out-of-band emergency patches for a high-severity zero-day vulnerability actively being exploited in attacks targeting Microsoft Office. This urgent update underscores the persistent challenges in cybersecurity and the necessity for users to remain vigilant and apply patches promptly.

The Critical Vulnerability: CVE-2026-21509

Tracked as CVE-2026-21509, this flaw carries a significant CVSS score of 7.8 out of 10.0, indicating its severe potential impact. Described as a “security feature bypass” in Microsoft Office, the vulnerability leverages “reliance on untrusted inputs in a security decision,” allowing an unauthorized attacker to circumvent local security features. Specifically, the update targets a bypass of OLE mitigations within Microsoft 365 and Microsoft Office, which are designed to protect users from malicious COM/OLE controls.

Exploitation of CVE-2026-21509 requires user interaction: an attacker must send a specially crafted Office file and convince the recipient to open it. Crucially, Microsoft has confirmed that the Preview Pane alone is not an attack vector, meaning merely viewing the file in the preview pane will not trigger the exploit.

Immediate Action Required: Patching Your Microsoft Office

Given the active exploitation, applying the relevant security updates is paramount. Microsoft has outlined different procedures based on your Office version:

Automatic Protection for Office 2021 and Later

Users running Office 2021 and newer versions will benefit from automatic protection via a service-side change. However, to ensure these protections take full effect, users are required to restart their Office applications.

Manual Updates for Office 2016 and 2019

For those utilizing older versions, specifically Office 2016 and Office 2019, manual installation of specific updates is mandatory:

• Microsoft Office 2019 (32-bit edition): Version 16.0.10417.20095
• Microsoft Office 2019 (64-bit edition): Version 16.0.10417.20095
• Microsoft Office 2016 (32-bit edition): Version 16.0.5539.1001
• Microsoft Office 2016 (64-bit edition): Version 16.0.5539.1001

Advanced Mitigation: Registry Modification

As an additional layer of protection or for environments where immediate patching isn’t feasible, Microsoft has provided steps for a Windows Registry change. Caution: Editing the Windows Registry incorrectly can cause serious system problems. Always back up your registry before making changes.

Important Precaution: Back Up Your Registry

Before proceeding with any registry modifications, ensure you have a complete backup of your Windows Registry.

Step-by-Step Registry Edit

1. Exit all Microsoft Office applications.
2. Start the Registry Editor (type “regedit” in the Windows search bar and press Enter).
3. Navigate to the appropriate registry subkey based on your Office installation type:
   • For 64-bit MSI Office or 32-bit MSI Office on 32-bit Windows: HKEY_LOCAL_MACHINESOFTWAREMicrosoftOffice16.0CommonCOM Compatibility
   • For 32-bit MSI Office on 64-bit Windows: HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeMicrosoftOffice16.0CommonCOM Compatibility
   • For 64-bit Click2Run Office or 32-bit Click2Run Office on 32-bit Windows: HKEY_LOCAL_MACHINESOFTWAREMicrosoftOfficeClickToRunREGISTRYMACHINESoftwareMicrosoftOffice16.0CommonCOM Compatibility
   • For 32-bit Click2Run Office on 64-bit Windows: HKEY_LOCAL_MACHINESOFTWAREMicrosoftOfficeClickToRunREGISTRYMACHINESoftwareWOW6432NodeMicrosoftOffice16.0CommonCOM Compatibility
4. Right-click the COM Compatibility node, choose New > Key, and name the new subkey {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}.
5. Within this new subkey, right-click, choose New > DWORD (32-bit) Value.
6. Name the new DWORD value "Compatibility Flags" and set its hexadecimal value to 400.
7. Exit Registry Editor and restart your Office applications.

The Broader Context: CISA’s Involvement and Discovery

While Microsoft has not disclosed specific details regarding the nature or scope of the attacks leveraging CVE-2026-21509, the rapid response indicates a serious threat. The discovery of this vulnerability is credited to the collaborative efforts of the Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), and the Office Product Group Security Team.

The urgency of this flaw is further highlighted by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which has added CVE-2026-21509 to its Known Exploited Vulnerabilities (KEV) catalog. This designation mandates that all Federal Civilian Executive Branch (FCEB) agencies apply the necessary patches by February 16, 2026, underscoring the critical importance of these updates for all users.

Staying informed and proactive about cybersecurity threats is crucial. Ensure your systems are updated, and consider following reputable security news sources for the latest advisories.

For more details, visit our website.

Source: Link