CVE-2026-21509

Name of the Vulnerable Software and Affected Versions Microsoft Office versions 2016 through 2024 Microsoft 365 Apps Microsoft Office LTSC 2021 Microsoft Office LTSC 2024

Description A security issue exists in Microsoft Office where reliance on untrusted inputs in a security decision allows an unauthorized attacker to bypass a security feature locally. This issue is actively exploited in attacks. The vulnerability allows attackers to bypass Object Linking and Embedding (OLE) protections by tricking users into opening malicious Office files. The preview pane is not an attack vector. Approximately, a large number of Microsoft Office users globally are potentially affected. Attackers can leverage this issue to gain unauthorized access to sensitive information or disrupt workflows. The exploitation requires user interaction, specifically opening a malicious file. The vulnerability bypasses security features by exploiting untrusted inputs.

Recommendations For Microsoft Office 2016 and 2019, apply the upcoming patch or implement the registry mitigation by adding a COM key with Compatibility Flags=400. For Microsoft Office 2021 and later, restart the application to enable automatic security protections. For Microsoft Office LTSC 2021 and LTSC 2024, restart the application to enable automatic security protections. For Microsoft 365 Apps, restart the application to enable automatic security protections.