Microsoft has released urgent out-of-band security updates to address a high-severity zero-day vulnerability in Microsoft Office, tracked as CVE-2026-21509. The flaw, which carries a CVSS score of 7.8, is a security feature bypass that allows attackers to circumvent Object Linking and Embedding (OLE) mitigations. Successful exploitation relies on a victim opening a specially crafted Office file, potentially leading to unauthorized local access and control.
Active exploitation of this vulnerability has been confirmed, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its Known Exploited Vulnerabilities (KEV) catalog. While Microsoft 365 and Office 2021 users are being protected via service-side updates, users of Office 2016 and 2019 must manually apply patches or implement specific Windows Registry modifications to mitigate the risk. Organizations are urged to prioritize these updates before the February 16, 2026, deadline set for federal agencies.
Top comments (0)