53/69 Wednesday, January 28, 2026
Microsoft has released an out-of-band security update to address an actively exploited zero-day vulnerability in Microsoft Office, tracked as CVE-2026-21509. The vulnerability affects multiple Office versions, including Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Microsoft 365 Apps for Enterprise.
According to Microsoft, the flaw is classified as a Security Feature Bypass vulnerability, caused by the application relying on untrusted input when making security decisions. This allows attackers to bypass built-in security protections by delivering a maliciously crafted Office document and tricking victims into opening it. Microsoft confirmed that the Preview Pane is not affected and cannot be used as an attack vector. However, the company has not yet disclosed detailed technical information about the attacks observed in the wild.
The update mitigates issues related to bypassing OLE and COM control protections in Office, which could otherwise allow risky controls to be executed. For Office 2021 and newer versions, protection is applied automatically via a service-side fix once the application is restarted. Users of Office 2016 and Office 2019, however, must install upcoming security updates or manually configure Windows Registry settings to block vulnerable COM/OLE controls. Microsoft advises users to back up the registry before making changes and to restart Office applications after applying the mitigation.
