Under Attack: Microsoft Patches Office Zero-Day (CVE-2026-21509) Exploited in the Wild
Ddos 
Microsoft has rolled out an urgent security update to plug a zero-day hole exploited in attacks in its Office suite that allows attackers to sidestep crucial defenses. The vulnerability, tracked as CVE-2026-21509, carries a CVSS score of 7.8 and strikes at the heart of how Office handles Object Linking and Embedding (OLE) controls.
The flaw is classified as a “Security Feature Bypass,” meaning it doesn’t just crash the system—it quietly unlocks doors that should remain bolted. Specifically, it defeats the OLE mitigations designed to “protect users from vulnerable COM/OLE controls”.
The vulnerability hinges on a classic weakness: “Reliance on untrusted inputs in a security decision”. By feeding the system carefully crafted malicious data, an attacker can trick Microsoft Office into lowering its guard, allowing unauthorized actions to proceed locally.
However, there is a catch. This is not a “drive-by” attack where simply looking at a website compromises your machine. The vulnerability has a User Interaction rating of Required (UI:R). To trigger the exploit, “An attacker must send a user a malicious Office file and convince them to open it”.
This reliance on social engineering—phishing emails, deceptive downloads, or urgent “invoice” attachments—makes the human element the final line of defense. Notably, the Preview Pane is safe; viewing the file there will not trigger the attack.
Microsoft released the fix on January 26, 2026, addressing the issue in Microsoft Office 2016 and Microsoft Office 2019.
Users are strongly advised to check their build numbers. The magic number for safety is Build 16.0.10417.20095 or later. You can verify your status by navigating to File > Account > About in any Office application.
For organizations that cannot patch immediately, there is a manual kill switch. Administrators can disable the vulnerable functionality by modifying the Windows Registry to block specific COM components.
The workaround involves adding a key to the COM Compatibility node:
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\
- Create a new subkey named {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}
- Inside, add a REG_DWORD value named Compatibility Flags with a hexadecimal value of 400.
While effective, manually editing the registry carries its own risks. The cleanest path forward remains the official patch. “Customers running Microsoft Office 2016 and 2019 should ensure the update is installed to be protected from this vulnerability”.
Donate