Office zero-day exploited in the wild forces Microsoft OOB patch
Summary
Microsoft has released an out-of-band (OOB) Office patch to address CVE-2026-21509, a zero-day security feature bypass vulnerability with a CVSS score of 7.8 that is being actively exploited in the wild. The flaw allows attackers to bypass protections aimed at blocking legacy components such as COM and OLE, enabling malicious document-based attacks when a user opens a crafted Office file.
Patches are available for recent Office builds, but Office 2016 and 2019 users must rely on temporary registry-based mitigations until formal fixes are released. Microsoft provided few details about the campaigns abusing the bug, though it credited its internal security teams with discovering the issue. The US CISA has added the flaw to its Known Exploited Vulnerabilities catalogue and set Federal agencies a remediation deadline.
Key Points
- CVE-2026-21509 is a security feature bypass in Microsoft Office (CVSS 7.8) being exploited in the wild.
- Attackers exploit reliance on untrusted inputs to force Office to run unsafe legacy components (COM/OLE) from malicious files.
- Microsoft issued an emergency out-of-band patch for supported builds; Office 2016 and 2019 lack immediate fixes and must use registry mitigations.
- Mitigations require adding a COM Compatibility registry key and setting a Compatibility Flags DWORD — a workaround that’s hard to roll out consistently at scale.
- CISA added the vulnerability to its Known Exploited Vulnerabilities catalogue, giving federal agencies a remediation date of 16 February.
Context and relevance
This is the latest in a string of early-2026 Microsoft bugs being actively exploited, compounding patch fatigue for organisations. The vulnerability underlines the persistent risk posed by legacy Windows/Office plumbing (COM/OLE) in document attacks and the operational burden of deploying registry workarounds across large estates. Security teams, patch managers and sysadmins should prioritise applying available updates and assess deployment of the registry block where updates are not yet available.
Why should I read this?
Short and blunt: if you run Microsoft Office in your organisation (or open Office files at home), this matters. The bug is being used in real attacks, patches are already out for newer builds, and older Office users are stuck with fiddly registry fixes for now. Read this so you know whether to patch, apply the workaround, and warn users not to open dodgy documents.
Author style
Punchy — this is urgent security news. If you manage endpoints or look after Office deployments, treat the detail here as actionable: patch supported builds, prepare to apply registry mitigations for legacy Office, and brief your teams.