Microsoft has pushed out an emergency, out-of-band security update for an actively exploited Microsoft Office zero-day vulnerability, tracked as CVE-2026-21509. The issue is already being used in real-world attacks, and it has now been added to the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog—an important signal that organizations should treat this as a high-priority patch.
At its core, CVE-2026-21509 is described as a security feature bypass in Microsoft Office. The problem stems from Office making a security decision based on untrusted input, which can allow a threat actor to get around protections that are meant to block risky COM and OLE controls. In practical terms, attackers can use a malicious Office document to bypass Office security safeguards tied to OLE mitigations.
Microsoft rates the vulnerability at 7.8 on the CVSS v3.1 scale and has confirmed that exploitation is happening “in the wild.” While detailed attack telemetry hasn’t been publicly shared, the company has made one point clear: successful exploitation requires user interaction. An attacker would need to trick someone into opening a specially crafted Office file. Microsoft also notes that the Preview Pane is not a viable attack path for this specific flaw, which may reduce some passive-exposure concerns, but it does not eliminate the broader risk of document-based phishing and social engineering.
Who’s protected right now depends on the Office version in use. Devices running Office 2021 and newer receive protection automatically through a service-side change, but there’s a catch: users need to restart their Office applications for the mitigation to fully apply. For environments still relying on Office 2016 and Office 2019, protection does not take effect until the latest security updates are installed.
To help organizations reduce exposure immediately—especially where patching may take time—Microsoft has also provided a registry-based workaround designed to block exploitation before updates are applied. This gives IT teams an option to respond quickly while testing and rolling out patches across larger fleets.
Because CVE-2026-21509 is now listed in CISA’s KEV catalog, U.S. federal agencies are required to apply the fix by February 16, 2026. Even if you’re not in the federal space, KEV inclusion is often a strong indicator that defenders should accelerate remediation, since these vulnerabilities tend to be actively targeted across multiple sectors once they’re publicly tracked.
This emergency Office patch lands during a particularly rough stretch for updates overall. Earlier in January 2026, Windows 11 security update KB5074109 was associated with stability complaints, including reports of UNMOUNTABLE_BOOT_VOLUME boot failures on some systems—adding to concerns about the reliability of recent update cycles. Even so, with an actively exploited Office zero-day in play, delaying remediation carries its own risks, especially for organizations that frequently exchange Office documents with external senders.
For users and businesses looking to reduce risk right away, the main takeaways are straightforward: install the out-of-band Office security update as soon as possible (especially on Office 2016 and 2019), restart Office apps on Office 2021 and newer to ensure protections are applied, and consider the provided workaround where immediate patch deployment isn’t feasible.
