CVE-2026-21509

Name of the Vulnerable Software and Affected Versions Microsoft Office versions 2016 through 2024 and Microsoft 365 Apps for Enterprise Description This is a security feature bypass vulnerability in Microsoft Office, actively exploited in attacks. The vulnerability allows attackers to bypass Object Linking and Embedding (OLE) mitigations by using specially crafted Office documents. Exploitation requires a user to open a malicious document, and the Preview Pane is not an attack vector. The vulnerability allows an unauthorized attacker to bypass a security feature locally. This flaw has been observed in real-world attacks and is being actively exploited. The vulnerability is tracked as CVE-2026-21509 and has a CVSS score of 7.8. Attackers can leverage this flaw to execute code on compromised systems. The vulnerability affects multiple versions of Microsoft Office, including Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps. Recommendations Apply the latest Microsoft Office security updates from the January 2026 Patch Tuesday release. For Office 2016 and 2019, install the available updates or apply the registry-based mitigation. Restart Office applications to ensure the service-side fix is applied for Microsoft 365 Apps and Office 2021 and later versions.