The vulnerability (CVE-2026-21509) requires user interaction for an attack to succeed, with the most likely vector being an attacker sending a malicious Office file to a victim, who then opens it.
Microsoft has released an emergency out-of-band patch for many versions of Office to address an actively exploited security bypass vulnerability. The update is not available for some older, vulnerable versions of Office, including Office 2016 and 2019.
The vulnerability (CVE-2026-21509) requires user interaction for an attack to succeed, with the most likely vector being an attacker sending a malicious Office file to a victim, who then opens it.
“This update addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls,” the Microsoft advisory says.
“The security update for Microsoft Office Client 2016 and 2019 versions are not immediately available. These updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE.”
The flaw affects Office 2016, 2019, LTSC 2021, LTSC 2024, and several versions of Microsoft 365 Apps for Enterprise.
For organizations that are running vulnerable versions of Office for which updates aren’t available, Microsoft recommends deploying a mitigation that involves adding new registry keys. The company said that this vulnerability has been exploited in the wild, but did not provide any further details about the exploitation activity.
That’s typical of the way that Microsoft and other vendors handle the release of information about exploitation activity, and as yet there isn’t any information from other threat intelligence teams about attacks targeting CVE-2026-21509 either.
