Full Report
Microsoft on Monday issued out-of-band security patches for a high-severity Microsoft Office zero-day vulnerability exploited in attacks. The vulnerability, tracked as CVE-2026-21509, carries a CVSS score of 7.8 out of 10.0. It has been described as a security feature bypass in Microsoft Office. "Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized
Analysis Summary
# Vulnerability: Microsoft Office Security Feature Bypass (OLE Mitigation Bypass)
## CVE Details
- CVE ID: CVE-2026-21509
- CVSS Score: 7.8 (High)
- CWE: Reliance on Untrusted Inputs in a Security Decision (Implied)
## Affected Systems
- Products: Microsoft Office, Microsoft 365 applications
- Versions: Microsoft Office 2016, Microsoft Office 2019, Microsoft Office 2021 and later (though newer versions may receive service-side fixes)
- Configurations: Systems where OLE mitigations have not been fully applied or restarted post-service update. The Preview Pane is explicitly noted as **not** an attack vector.
## Vulnerability Description
This vulnerability is a security feature bypass affecting Microsoft Office, related to Object Linking and Embedding (OLE). The flaw exists due to a "Reliance on untrusted inputs in a security decision" within Microsoft Office. Successful exploitation allows an attacker to bypass existing OLE mitigations designed to protect users from vulnerable COM/OLE controls locally.
## Exploitation
- Status: Exploited in the wild (Emergency patch issued)
- Complexity: Requires sending a specially crafted Office file to the recipient and convincing them to open it.
- Attack Vector: Local (User interaction required)
## Impact
- Confidentiality: Potential impact unknown, but bypassing security features suggests data access is possible.
- Integrity: Potential impact unknown, but bypassing security features suggests modification is possible.
- Availability: Potential impact unknown.
## Remediation
### Patches
The following security updates address the vulnerability:
* **Microsoft Office 2019 (32-bit edition):** 16.0.10417.20095
* **Microsoft Office 2019 (64-bit edition):** 16.0.10417.20095
* **Microsoft Office 2016 (32-bit edition):** 16.0.5539.1001
* **Microsoft Office 2016 (64-bit edition):** 16.0.5539.1001
* **Office 2021/M365:** Customers should be protected via a service-side change, but **must** restart their Office applications for the protection to take effect.
### Workarounds
A manual remediation via the Windows Registry is available for systems that cannot immediately apply patches:
1. Backup the Windows Registry.
2. Exit all Microsoft Office applications.
3. Start the Registry Editor.
4. Navigate to the appropriate `\COM Compatibility\` subkey based on installation type (MSI/ClickToRun) and system architecture. Examples include:
* `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\`
* `HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\` (for 32-bit Office on 64-bit Windows)
5. Add a new subkey named: `{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}`.
6. Within the new subkey, add a new **DWORD (32-bit) Value** named: `"Compatibility Flags"`.
7. Set the value of `"Compatibility Flags"` to **0x400** (Hexadecimal).
8. Exit the Registry Editor and restart Office applications.
## Detection
- Status: The vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) Catalog, indicating active exploitation by federal agencies' remediation deadlines.
- Detection methods and tools are not fully detailed in the source, but monitoring for execution originating from specially crafted Office documents, especially those attempting to manipulate OLE/COM objects, is recommended.
## References
- Vendor Advisory: hxxps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509
- CISA KEV Catalog Entry: hxxps://www.cisa.gov/news-events/alerts/2026/01/26/cisa-adds-five-known-exploited-vulnerabilities-catalog