Microsoft Office Zero-Day (CVE-2026-21509) - Emergency Patch Issued for Active Exploitation - The Hacker News

Microsoft Office Zero-Day (CVE-2026-21509) - Emergency Patch Issued for Active Exploitation Ravie LakshmananJan 27, 2026Zero-Day / Vulnerability Microsoft on Monday issued out-of-band security patches for a high-severity Microsoft Office zero-day vulnerability exploited in attacks. The vulnerability, tracked as CVE-2026-21509, carries a CVSS score of 7.8 out of 10.0. It has been described as a security feature bypass in Microsoft Office. "Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally," the tech giant said in an advisory. "This update addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office, which protect users from vulnerable COM/OLE controls." Successful exploitation of the flaw relies on an attacker sending a specially crafted Office file and convincing recipients to open it. It also noted that the Preview Pane is not an attack vector. The Windows maker said customers running Office 2021 and later will be automatically protected via a service-side change, but will be required to restart their Office applications for this to take effect. For those running Office 2016 and 2019, it's required to install the following updates - Microsoft Office 2019 (32-bit edition) - 16.0.10417.20095 Microsoft Office 2019 (64-bit edition) - 16.0.10417.20095 Microsoft Office 2016 (32-bit edition) - 16.0.5539.1001 Microsoft Office 2016 (64-bit edition) - 16.0.5539.1001 As mitigation, the company is urging that customers make a Windows Registry change by following the steps outlined below - Take a backup of the Registry Exit all Microsoft Office applications Start the Registry Editor Locate the proper registry subkey - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\ for 64-bit MSI Office or 32-bit MSI Office on 32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\ for 32-bit MSI Office on 64-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\16.0\Common\COM Compatibility\ for 64-bit Click2Run Office or 32-bit Click2Run Office on 32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\ for 32-bit Click2Run Office on 64-bit Windows Add a new subkey named {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} by right-clicking the COM Compatibility node and choosing Add Key. Within that subkey, add new value by right-clicking the new subkey and choosing New > DWORD (32-bit) Value Add a REG_DWORD hexadecimal value called "Compatibility Flags" with a value of 400 Exit Registry Editor and start the Office application Microsoft has not shared any details about the nature and the scope of attacks exploiting CVE-2026-21509. It credited the Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), and Office Product Group Security Team for discovering the issue. The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  CISA, cybersecurity, Microsoft, Microsoft office, Threat Intelligence, Vulnerability, windows security, zero-day Trending News ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Load More ▼ Popular Resources Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Identity Controls Checklist: Find Missing Protections in Apps Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps