Microsoft has released emergency out-of-band security updates to fix a high-severity zero-day vulnerability in Microsoft Office that is actively being exploited in real-world attacks.
The vulnerability, tracked as CVE-2026-21509, is a security feature bypass flaw that impacts several Office versions, including Microsoft Office 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, and Microsoft 365 Apps for Enterprise. Microsoft confirmed that security updates for Office 2016 and 2019 are not yet available, but said patches for those versions will be released as soon as possible.
Microsoft explained that the flaw allows an attacker to bypass Office security protections by convincing a user to open a malicious Office document. While the Preview Pane is not an attack vector, unauthenticated local attackers can still exploit the vulnerability through low-complexity attacks that require user interaction. According to Microsoft, the issue is caused by Office relying on untrusted input during security decisions, allowing attackers to bypass OLE mitigations designed to protect users from vulnerable COM and OLE controls.
Microsoft also noted that customers using Office 2021 and later versions are automatically protected through a service-side change, but they must restart their Office applications for the protection to take effect.
Although Office 2016 and 2019 users are not yet fully patched, Microsoft has provided mitigation measures that may reduce the severity of exploitation. The guidance is confusing, so the steps are listed clearly below.
- Close all Microsoft Office applications.
- Create a backup of the Windows Registry, as incorrect edits can cause system issues.
- Open the Windows Registry Editor by clicking the Start menu, typing regedit, and pressing Enter.
- Once the Registry Editor opens, check whether any one of the following Registry keys exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\
(for 64-bit Office, or 32-bit Office on 32-bit Windows)HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\
(for 32-bit Office on 64-bit Windows)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\16.0\Common\COM Compatibility\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\
- If none of the above keys exist, create a new COM Compatibility key under the following Registry path by right-clicking on Common and selecting New → Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\
- Right-click on the existing or newly created COM Compatibility key and select New → Key, then name it:
{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}
- After creating the new key, right-click on it and select New → DWORD (32-bit) Value.
- Name the new value Compatibility Flags.
- Double-click Compatibility Flags, make sure the Base option is set to Hexadecimal, and enter 400 in the Value data field.
After completing these steps, the vulnerability will be mitigated the next time an Office application is launched.
After completing these steps, the vulnerability will be mitigated the next time an Office application is launched.
Microsoft has not disclosed who discovered the vulnerability or provided technical details on how the attacks are being carried out. The company also did not immediately comment when contacted by security researchers earlier today.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Earlier this month, Microsoft released security updates for 114 vulnerabilities as part of the January 2026 Patch Tuesday, including another actively exploited zero-day flaw in the Desktop Window Manager that could allow attackers to read sensitive memory information. In recent weeks, Microsoft has also issued multiple emergency Windows updates to fix shutdown issues, Cloud PC bugs, and problems causing the classic Outlook client to freeze or hang.
