Microsoft patches actively exploited Office zero-day vulnerability

Recorded: Jan. 26, 2026, 9 p.m.

Original

News

Featured
Latest

New ClickFix attacks abuse Windows App-V scripts to push malware

Microsoft patches actively exploited Office zero-day vulnerability

Nearly 800,000 Telnet servers exposed to remote attacks

Cloudflare misconfiguration behind recent BGP route leak

OpenAI's ChatGPT ad costs are on par with live NFL broadcasts

Fortinet blocks exploited FortiCloud SSO zero day until patch is ready

Chinese Mustang Panda hackers deploy infostealers via CoolClient backdoor

WinRAR path traversal flaw still exploited by numerous hackers

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsMicrosoftMicrosoft patches actively exploited Office zero-day vulnerability

Microsoft patches actively exploited Office zero-day vulnerability

By Sergiu Gatlan

January 26, 2026
01:20 PM
1

Microsoft has released emergency out-of-band security updates to patch a high-severity Microsoft Office zero-day vulnerability exploited in attacks.
The security feature bypass vulnerability, tracked as CVE-2026-21509, affects multiple Office versions, including Microsoft Office 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, and Microsoft 365 Apps for Enterprise (the company's cloud-based subscription service).
However, as noted in today's advisory, security updates for Microsoft Office 2016 and 2019 are not yet available and will be released as soon as possible.

While the preview pane is not an attack vector, unauthenticated local attackers can still successfully exploit the vulnerability through low-complexity attacks that require user interaction.
"Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally. An attacker must send a user a malicious Office file and convince them to open it," Microsoft explained.
"This update addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls."
"Customers on Office 2021 and later will be automatically protected via a service-side change, but will be required to restart their Office applications for this to take effect," it added.
Although Office 2016 and 2019 aren't immediately patched against attacks, Microsoft has provided confusing mitigation measures that could "reduce the severity of exploitation."
We have attempted to clear this up with our instructions below:
Close all Microsoft Office applications.
Create a backup of the Windows Registry, as incorrectly editing it can cause issues with the operating system.
Open the Windows Registry Editor (regedit.exe) by clicking on the Start menu and typing regedit, and then pressing Enter when it appears in the search results.
When open, use the address bar at the top to see if one of the following Registry keys exists:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\ (for 64-bit Office, or 32-bit Office on 32-bit Windows)

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\ (for 32-bit Office on 64-bit Windows)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\16.0\Common\COM Compatibility\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\
If one of the above keys does not exist, create a new "COM Compatibility" key under this Registry path by right-clicking on Common and selecting New -> Key.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\

Now right-click on the existing or newly created COM Compatibility key and select New -> Key and name it {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}.
When the new {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} is created, right-click on it, select New -> DWORD (32-bit) Value. Name the new value Compatibility Flags.
When the Compatibility Flags value is created, double-click on it, make sure the Base option is set to Hexadecimal, and enter 400 in the Value data field.
After performing these steps, the flaw will be mitigated when you next launch an Office application.
"We recommend impacted customers follow the guidance on our CVE page. Additionally, Microsoft Defender has detections in place to block exploitation, and our default Protected View setting provides an extra layer of protection by blocking malicious files from the Internet," a Microsoft spokesperson told BleepingComputer when asked for more details on how CVE-2026-21509 is exploited.
"As a security best practice, we encourage users to exercise caution when downloading and enabling editing on files from unknown sources as indicated in security warnings."
Earlier this month, as part of the January 2026 Patch Tuesday, Microsoft issued security updates for 114 flaws, including one actively exploited and two publicly disclosed zero-day bugs.
The other actively exploited zero-day patched this month is an information disclosure flaw in the Desktop Window Manager, tagged by Microsoft as "important severity," that can let attackers to read memory addresses associated with the remote ALPC port.
Last week, Microsoft also released multiple out-of-band Windows updates to fix shutdown and Cloud PC bugs triggered by the January Patch Tuesday updates, as well as another set of emergency updates to address an issue causing the classic Outlook email client to freeze or hang.
Update January 27, 05:25 EST: Added Microsoft statement.

Secrets Security Cheat Sheet: From Sprawl to Control
Whether you're cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start.
Get the cheat sheet and take the guesswork out of secrets management.
Download Now

Related Articles:
Microsoft January 2026 Patch Tuesday fixes 3 zero-days, 114 flawsMicrosoft December 2025 Patch Tuesday fixes 3 zero-days, 57 flawsMicrosoft releases OOB Windows updates to fix shutdown, Cloud PC bugsMicrosoft releases emergency OOB update to fix Outlook freezesFortinet admins report patched FortiGate firewalls getting hacked

Bypass
Emergency Update
Microsoft
Microsoft Office
Out-of-Band
Security Update
Zero-Day

Sergiu Gatlan
Sergiu is a news reporter who has covered the latest cybersecurity and technology developments for over a decade. Email or Twitter DMs for tips.

Previous Article
Next Article

Comments

deltasierra - 1 day ago

"Microsoft has released emergency out-of-band security updates to patch a high-severity Microsoft Office zero-day vulnerability exploited in attacks."
Released as service-side updates for Office 2021 and later, meaning there's no patches for users to install. Microsoft says in the CVE article that these apps just need to be restarted to make the fix go into effect.

Popular Stories

Microsoft investigates Windows 11 boot failures after January updates

Microsoft releases emergency OOB update to fix Outlook freezes

CISA says critical VMware RCE flaw now actively exploited

Sponsor Posts

Get a free shadow AI inventory today

Is your data already on a leak site? Monitor your exposure threats for free.

Discover how phishing kits are sold and deployed. Download the full research report.

Exposure Management Index: Insights From 3,000+ Teams. Get The Report.

Overdue a password health-check? Audit your Active Directory for free

Upcoming Webinar

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

Microsoft has released emergency out-of-band security updates to address a high-severity zero-day vulnerability within Microsoft Office, actively being exploited in attacks. This vulnerability, tracked as CVE-2026-21509, impacts multiple Office versions, including Microsoft Office 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, and Microsoft 365 Apps for Enterprise. The initial report highlights a concerning trend – while service-side updates are available for Office 2021 and later versions, patches for older versions like 2016 and 2019 are not yet available.

The core of this vulnerability lies in a bypass of OLE mitigations within Microsoft 365 and Microsoft Office. An unauthenticated local attacker can successfully exploit this flaw by sending a malicious Office file to a user, compelling them to open it. This attack mechanism underscores the importance of user vigilance when handling unsolicited files. Microsoft emphasizes that this vulnerability is not triggered by the “preview pane,” shifting the responsibility for mitigation onto the user’s actions.

The urgency of the situation is driven by the “out-of-band” nature of the updates, indicating a rapid response to a newly discovered and actively exploited threat. Microsoft’s immediate response includes a system-level update deployed automatically for newer versions, requiring only a restart of Office applications for activation. However, the lack of immediate patches for older versions like 2016 and 2019 presents a significant security risk and necessitates immediate action, according to Microsoft.

To mitigate the risk for those impacted Office 2016 and 2019 installations, Microsoft has provided a series of technical steps for users to implement. These steps involve navigating the Windows Registry Editor, specifically searching for or creating relevant keys within the HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER registry hives. Precise instructions outline the need to create a "COM Compatibility" key if it doesn't already exist and then setting a specific DWORD value of 400 within that key. This process is intended to re-enable security features that were bypassed by the initial exploit.

Microsoft’s spokesperson, when queried by BleepingComputer, reinforced the critical nature of this vulnerability and directed customers to the official CVE page for comprehensive information. They also pointed to Microsoft Defender’s detection capabilities and the default Protected View setting as additional layers of protection. Furthermore, the spokesperson stressed the importance of exercising caution when downloading and opening files from untrusted sources, highlighting a core security best practice.

This incident follows a Patch Tuesday release earlier in January 2026, which addressed 114 vulnerabilities including another actively exploited zero-day bug affecting the Desktop Window Manager. This vulnerability allows an attacker to read memory addresses associated with the remote ALPC port, further emphasizing the broad scope of security threats impacting Microsoft products. A subsequent emergency update addressed persistent Outlook freezes and hangs related to the January Patch Tuesday updates.

The ongoing vigilance surrounding Microsoft products is underscored by the continuous need for rapid security updates and proactive mitigation strategies. The details of CVE-2026-21509, coupled with the documented exploit methodology, serve as a critical reminder of the importance of user awareness and the ongoing responsibility of software vendors to address vulnerabilities swiftly and effectively.