The flaw, tracked as CVE-2026-21509, is a security feature bypass that enables attackers to circumvent built-in mitigations in Office by leveraging untrusted input. This type of vulnerability is particularly dangerous because it undermines protections meant to prevent execution of malicious content.

Affected Products

Note: Microsoft says updates for Office 2016 and 2019 will be released as soon as possible.

What’s the Vulnerability?

The flaw allows unauthenticated local attackers to bypass key security mitigations in Office by tricking a user into opening a specially crafted file. The vulnerability is rooted in “reliance on untrusted inputs in a security decision,” which enables attackers to defeat OLE (Object Linking and Embedding) controls that normally protect against unsafe content.

While Microsoft notes that the Office preview pane is not an exploitable vector, opening a malicious Office document is enough to trigger the flaw.

How It’s Being Exploited

As of this advisory, attackers are actively using the CVE-2026-21509 flaw in limited real-world attacks. The exploit does not require elevated privileges — just that the victim open a malicious file, which makes email and collaboration platforms prime delivery methods for this threat.

Microsoft has not disclosed details about who found the vulnerability or how exploit code works, limiting the technical community’s ability to fully reverse-engineer the threat at this time.

Temporary Mitigations (Office 2016 & 2019)

For Office 2016 and 2019 users who can’t yet install an official patch, Microsoft published a workaround involving a registry configuration that can reduce exploitability. The steps include:

1. Close all Office apps.

2. Backup your Windows Registry (editing errors can break your system).

3. Open regedit.exe and navigate to Office compatibility keys.

4. Create a new registry key named {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} under the COM Compatibility path.

5. Within it, add a DWORD (32-bit) value named Compatibility Flags and set its Value data to 400 (hex).

6. Relaunch Office applications for the mitigation to take effect.

What This Means for Organizations

Because this is actively exploited in the wild, the security community strongly recommends that organizations:

• Apply the out-of-band update immediately where available.

• Restart affected Office applications to ensure protections fully activate.

• Encourage users to avoid opening untrusted documents, especially via email or file sharing services.

• Monitor for signs of exploitation, such as unusual Office behavior or unexpected document launches.

Microsoft’s emergency update follows its January 2026 Patch Tuesday release, which addressed over 110 vulnerabilities across Windows and Office products, including zero-day issues in other components.

Summary

• Zero-day vulnerability patched: Yes (CVE-2026-21509)

• Actively exploited: Yes

• Urgent patch recommended: Absolutely

• Partial mitigations available for older versions: Yes

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.