CVE-2026-21509

Name of the Vulnerable Software and Affected Versions Microsoft Office 2016 Microsoft Office 2019 Microsoft Office LTSC 2021 Microsoft Office LTSC 2024 Microsoft 365 Apps

Description An issue in Microsoft Office arises from the reliance on untrusted inputs when making security decisions, which allows an unauthorized attacker to bypass security features locally. Specifically, the flaw enables the bypass of Object Linking and Embedding (OLE) security mechanisms. When a user opens a specially crafted document (such as RTF or DOC files), the exploit can automatically execute arbitrary code without user interaction, often leveraging the WebDAV protocol to retrieve additional payloads.

Real-world exploitation has been observed in several campaigns:

Technical details include the use of the Shell.Explorer.1 OLE component with CLSID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} to facilitate the attack.

Recommendations For Microsoft Office 2016, install security update KB5002713. For Microsoft Office 2019, update to Build 10417.20095. For Microsoft Office LTSC 2021 and Microsoft Office LTSC 2024, install the February 2026 security update. As a temporary mitigation for all affected versions, block the vulnerable OLE component by creating a registry DWORD value named Compatibility Flags set to 400 under the subkey {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} within the COM Compatibility node of the appropriate Microsoft Office registry path.