CVE-2026-21509: Emergency Patch Released for a Microsoft Office Zero-Day

What happened

On January 26, Microsoft released an emergency patch for a Microsoft Office zero-day vulnerability, CVE-2026-21509. The flaw was already being exploited in the wild, and CISA added it to the Known Exploited Vulnerabilities (KEV) catalog on the same day.

U.S. federal agencies were required to remediate it by February 16.

Vulnerability overview

CVE-2026-21509 is a vulnerability that bypasses OLE mitigations in Microsoft 365 and Office, exposing users to vulnerable COM/OLE controls. Its CVSS score is 7.8, which places it in the high-severity range.

Successful exploitation requires the victim to open a malicious Office file. Microsoft describes the root issue as relying on untrusted input in a security-sensitive decision.

Affected products

• Microsoft Office 2016
• Microsoft Office 2019
• Microsoft Office LTSC 2021
• Microsoft Office LTSC 2024
• Microsoft 365 Apps for Enterprise

Patch status

Version	Response
Office 2021 and later	Automatically protected by a service-side change (Office must be restarted)
Office 2019	Update to build 16.0.10417.20095
Office 2016	Install KB5002713 (build 16.0.5539.1001)

Office 2021 and later are protected automatically, but Office 2016 and 2019 are not protected until the security updates are installed manually.

If you cannot patch immediately

For environments where the patch cannot be applied right away, Microsoft provides a registry-based COM compatibility mitigation that can temporarily block the vulnerable OLE control.

References:

• NVD - CVE-2026-21509
• Help Net Security - Microsoft reveals actively exploited Office zero-day
• CISA - Known Exploited Vulnerabilities Catalog