CVE-2026-21509: Actively Exploited Microsoft Office Security Control Bypass Flaw

CVE-2026-21509 is a Microsoft Office security feature bypass vulnerability that allows attackers to circumvent built-in OLE security protections by exploiting reliance on untrusted input. The vulnerability requires user interaction and has confirmed active exploitation, making it a high-priority risk for organizations using affected Office versions.

Severity: High

Vulnerability Details

• CVE ID: CVE-2026-21509
• CVSS Score: 7.8
• Vulnerability Type: Security Feature Bypass (CWE-807 – Reliance on Untrusted Inputs in a Security Decision)
• Description: The flaw arises from improper trust of unvalidated input in a security decision within Microsoft Office (CWE-807). This flaw enables an attacker to bypass OLE (Object Linking and Embedding) mitigations, which are designed to prevent unsafe or vulnerable COM/OLE controls from executing. By crafting a malicious Office document and convincing a user to open it, an attacker can locally bypass these protections.

Attack Vector And Exploitation

• Attack Vector: Local
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: Required (opening a malicious Office file)
• Exploit Status: Exploitation detected in the wild

The vulnerability is not exploitable through the Preview Pane, limiting attack delivery to scenarios involving explicit user interaction.

Affected Products

The vulnerability impacts multiple Microsoft Office offerings, including:

• Microsoft Office 2016
• Microsoft Office 2019
• Microsoft Office LTSC 2021 and 2024
• Microsoft 365 Apps for Enterprise

Security updates for affected versions were released on January 26, 2026.

Recommendations

1. Immediately install the January 26, 2026, security updates for all affected Microsoft Office versions, especially Office 2016 and 2019.
2. Office 2021 and later: Automatically protected via a service-side change after restarting Office applications. Validate that Office 2021 and later systems have been restarted to apply service-side protections.
3. Mitigation: For environments unable to patch immediately, apply Microsoft’s registry-based COM compatibility mitigation to block the vulnerable OLE control. This mitigation provides interim protection until updates can be fully applied.
   For instructions to apply the mitigations, refer https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509
4. Enforce policies to block or restrict Office files from untrusted sources, especially those delivered via email or downloaded from the internet.
5. Educate users on the risks of opening unexpected or unsolicited Office documents, even if they appear legitimate. Reinforce reporting procedures for suspicious attachments or unusual Office behavior.

Source:

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.