CVE-2026-21514

Name of the Vulnerable Software and Affected Versions Microsoft Word versions prior to February 2026 Patch Tuesday

Description A critical security flaw in Microsoft Word allows an attacker to bypass security features locally by exploiting reliance on untrusted inputs during security decisions. This issue, categorized as CWE-807, specifically bypasses Object Linking and Embedding (OLE) mitigations, potentially enabling malicious COM/OLE controls to execute. The vulnerability is actively exploited in the wild, and successful exploitation requires a victim to open a specially crafted document. The flaw impacts global and enterprise users of Microsoft Office. The vulnerability abuses trust decisions in OLE activation, potentially involving issues with how Word resolves embedded CLSIDs and validates OLE stream metadata within the Compound File Binary.

Recommendations Apply the February 2026 Patch Tuesday updates to all affected systems.