Zero-day vulnerability Microsoft Office – CVE-2026-21509

CVE-2026-21509 is the latest zero-day vulnerability impacting Microsoft Office products. The vulnerability has been ‘exploited’ by threat actors and has assumed ‘zero-day’ status because of this reason.

Microsoft rolled out fix for the vulnerability on 26 January 2026. Details of the vulnerability and the security updates are shared below.

In this post, we cover the following topics

1. About security vulnerability CVE-2026-21509
2. List of affected versions of Microsoft Office
3. Security updates for CVE-2026-21509

About CVE-2026-21509

CVE-2026-21509 is a Security Feature Bypass Vulnerability in Microsoft Word and it affects Microsoft Office editions beginning Microsoft Office 2016 versions.

Essential characteristics include:

• CVSS (3.1) Score – 7.8
• Impact – Security Feature Bypass
• Severity – Important
• Exploitation Assessment – Exploitation Detected

Vulnerability Summary – Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally. The vulnerability allows the attacker to bypass OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls.

Microsoft Office versions affected by CVE-2026-21509

The following versions of Microsoft Office are impacted by the zero-day vulnerabilty:

• Microsoft Office 2016 (64-bit edition)
• Microsoft Office 2016 (32-bit edition)
• Microsoft Office LTSC 2024 for 64-bit editions
• Microsoft Office LTSC 2024 for 32-bit editions
• Microsoft Office LTSC 2021 for 32-bit editions
• Microsoft Office LTSC 2021 for 64-bit editions
• Microsoft 365 Apps for Enterprise for 64-bit Systems
• Microsoft 365 Apps for Enterprise for 32-bit Systems
• Microsoft Office 2019 for 64-bit editions
• Microsoft Office 2019 for 32-bit editions

Security updates for CVE-2026-21509 have been rolled out on 26 January 2026.

Security Updates for CVE-2026-21509

Microsoft rolled out security updates on 26 January 2026. The updates can be applied using the Update program. Or, you could download the update through the vulnerability page.

• KB5002713 is the security update for Office 2016. The vulnerability is resolved in build number 16.0.5539.1001 for Office 2016.
• All other Microsoft Office editions can download the update through the ‘Click to Run’ option on Windows Security Page.
• Office 2019 build 16.0.10417.20095 contains fix for CVE-2026-21509 vulnerabilty.

Customers running Office 2021 and later will be automatically protected via a service-side change, but will be required to restart their Office applications for this to take effect. Customers running Office 2016 and 2019 are not protected until they install the security update. For administrators unable to install the latest security updates on Microsoft Office 2016 or Microsoft Office 2019, please use the mitigation steps through addition of registry keys shared on the vulnerability page.

We recommend that administrators must install the security update or perform mitigation steps to overcome CVE-2026-21509.