Emergency Microsoft Office Update Patches Actively Exploited CVE-2026-21509 OLE Security Bypass
Microsoft released out-of-band (OOB) security updates to address an actively exploited Microsoft Office zero-day, CVE-2026-21509, described as a security feature bypass caused by reliance on untrusted input in a security decision. The flaw impacts Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Microsoft 365 Apps for Enterprise, and is exploited by sending a user a malicious Office document and convincing them to open it; Microsoft stated the Preview Pane is not an attack vector. The fix addresses a bypass of OLE mitigations intended to protect users from vulnerable COM/OLE controls, but Microsoft did not provide public technical details on the in-the-wild exploitation.
For Office 2021 and later / Microsoft 365 Apps, Microsoft indicated protections may be applied via a service-side fix after restarting Office apps, while Office 2016 and 2019 updates were not yet available at the time of reporting and were promised “as soon as possible.” As interim risk reduction, Microsoft provided mitigations that include a Windows Registry change to block vulnerable COM/OLE controls by adding a COM compatibility key and setting a Compatibility Flags DWORD value; guidance emphasized backing up the registry and restarting Office applications after applying the mitigation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Cisco Talos releases detection content for CVE-2026-21509 activity
Cisco Talos published updated detection coverage for the Office zero-day, including new Snort rules and a ClamAV signature to help identify exploitation attempts and related activity. This added public defensive guidance beyond Microsoft's patching and mitigation advice.
CISA sets February 16 deadline for federal agencies to remediate
Following KEV inclusion, CISA directed U.S. Federal Civilian Executive Branch agencies to remediate CVE-2026-21509 by February 16, 2026, or discontinue use of affected products until patched. This formalized the federal response to the actively exploited Office zero-day.
CISA adds CVE-2026-21509 to the KEV catalog
CISA added CVE-2026-21509 to its Known Exploited Vulnerabilities catalog after Microsoft confirmed active exploitation. The listing elevated remediation urgency for defenders and federal agencies.
Office 2016 and 2019 security update details published
By January 26, 2026, Microsoft published update guidance for Office 2016 and Office 2019, with multiple reports citing build 16.0.10417.20095 or later as the fixed version for affected installations. Organizations were told to verify build numbers or use the registry workaround if immediate patching was not possible.
Microsoft issues emergency OOB fixes and mitigations for CVE-2026-21509
On January 26, 2026, Microsoft released out-of-band protections for CVE-2026-21509, including a service-side fix for Office 2021 and later that takes effect after restarting Office apps. Microsoft also provided registry-based mitigations for unsupported or not-yet-patched versions and advised Office 2016/2019 users to apply updates when available.
Microsoft confirms in-the-wild exploitation of Office zero-day CVE-2026-21509
Microsoft disclosed that CVE-2026-21509, a Microsoft Office security feature bypass involving untrusted input in security decisions, was being actively exploited in real-world attacks. The flaw bypasses OLE protections and requires a user to open a malicious Office document; Microsoft said the Preview Pane is not an attack vector.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
19 references tracked. Mallory keeps watching after this page renders.
To curmudgeon or not to curmudgeon, that is the question. - PSW #911 | SC Media
scworld.com
Open sourceMicrosoft releases update to address zero-day vulnerability in Microsoft Office
blog.talosintelligence.com
Open sourceMicrosoft patches actively exploited Office zero-day vulnerability - SecPod Blog
secpod.com
Open sourceMicrosoft Office Zero-Day CVE-2026-21509: Emergency Patch Released for Actively Exploited OLE Vulnerability
rescana.com
Open sourceMicrosoft Office vulnerability (CVE-2026-21509) in active exploitation | SOPHOS
sophos.com
Open sourceMicrosoft Emergency Fix Released For Exploited Office Zero-Day
thecyberexpress.com
Open sourceEmergency Microsoft update fixes in-the-wild Office zero-day
securityaffairs.com
Open sourceMicrosoft patches actively exploited Office zero-day vulnerability
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Patches Critical Office and Outlook Preview Pane RCE Flaws
Microsoft has released fixes for multiple **critical Microsoft Office, Word, and Outlook Classic vulnerabilities** that can lead to remote code execution when a victim opens or previews a specially crafted file or email. The affected flaws include Office bugs **CVE-2025-49695**, **CVE-2025-49696**, **CVE-2025-49697**, **CVE-2025-49699**, **CVE-2025-49702**, Word bug **CVE-2025-49698**, and newer Outlook/Word rendering issues **CVE-2026-45456**, **CVE-2026-45458**, and **CVE-2026-47635**. Microsoft described the bugs as stemming from memory-safety issues such as **use-after-free**, **heap-based buffer overflow**, **type confusion**, and **out-of-bounds read**, with several carrying **CVSS 8.4** ratings. In multiple cases, Microsoft said the **Preview Pane** can trigger exploitation, and some flaws may be exploited without additional user interaction once malicious content is rendered. Microsoft said the vulnerable code paths affect Office and Word components, including the **Word rendering engine** used by **Outlook Classic**, and that supported builds such as **Microsoft Office LTSC 2024** and Mac Office LTSC channels received updates, with some Mac patches arriving later. Most of the 2025 flaws were not publicly disclosed or exploited at publication, though Microsoft assessed some as **more likely** to be exploited; the 2026 Outlook and Word issues similarly prompted urgent patching guidance because remotely delivered email content can trigger local processing and code execution. Microsoft urged organizations to install all applicable updates and strengthen defenses around Office email handling, including **Protected View**, **Attack Surface Reduction** rules, and monitoring for suspicious Office child-process activity.
Jun 12, 2026
Microsoft Patches Repeated Remote Code Execution Flaws Across Office Apps
Microsoft published a long series of security advisories for **remote code execution** vulnerabilities affecting core Office components, with the largest concentration in **Excel** and **Word**. The disclosures include Excel flaws such as `CVE-2024-49026`, `CVE-2024-49069`, `CVE-2025-21362`, `CVE-2025-21381`, `CVE-2025-21387`, `CVE-2025-24082`, `CVE-2025-62553`, `CVE-2026-26107`, `CVE-2026-26109`, `CVE-2026-26112`, and `CVE-2026-40359`, alongside Word issues including `CVE-2025-24077`, `CVE-2025-24078`, `CVE-2025-47170`, `CVE-2025-49700`, `CVE-2025-59222`, `CVE-2026-23657`, and `CVE-2026-33095`. Microsoft also listed related RCE bugs in **Microsoft Office** (`CVE-2025-21392`), **PowerPoint** (`CVE-2025-54908`), **Inbox COM Objects (Global Memory)** (`CVE-2025-58730`), and the **Visual Studio Code Python Extension** (`CVE-2025-49714`). One of the few entries with technical detail, **`CVE-2026-40359`**, describes an **Important** Excel use-after-free flaw (`CWE-416`) with a **CVSS 3.1 score of 7.8** that can let an attacker execute code if a user opens a malicious Office file. Microsoft said the bug was **not publicly disclosed**, **not exploited in the wild**, and **less likely** to be exploited at the time of publication, adding that the **Preview Pane is not an attack vector** and that a fix is available. Taken together, the advisories show Microsoft continuing to address document-driven code execution risks across Office products, where successful exploitation generally depends on **user interaction with crafted files** rather than direct network exposure.
May 25, 2026
Actively exploited Microsoft zero-days patched in February security updates
Microsoft disclosed and patched multiple **actively exploited** vulnerabilities as part of its February security updates, including a Microsoft Word security feature bypass tracked as **CVE-2026-21514**. The Word flaw (CVSS 7.8; CWE-807) allows attackers to bypass **Object Linking and Embedding (OLE)**-related mitigations by abusing how Word makes security decisions based on untrusted inputs; exploitation is described as requiring a crafted document and **user interaction** (e.g., opening a phishing-delivered file) while avoiding typical prompts such as Protected View or “Enable Content” warnings. Microsoft also addressed an in-the-wild exploited Windows **Desktop Window Manager (dwm.exe)** elevation-of-privilege vulnerability, **CVE-2026-21519** (CVSS 7.8), which can allow a **local** attacker to escalate from a standard user context to **SYSTEM**. The February update review also lists additional exploited issues patched in the same release, including security feature bypasses in **Windows Shell (CVE-2026-21510)** and **Internet Explorer (CVE-2026-21513)**, plus other exploited vulnerabilities (e.g., **Windows Remote Desktop Services EoP CVE-2026-21533**), underscoring that defenders should prioritize rapid deployment of the February fixes across affected Windows and Office estates.
Mar 21, 2026