Microsoft Issues Emergency Patch for Actively Exploited Office Zero-Day
Take action: For everyone using Microsoft Office, this is important and urgent. Hackers attack with malicious MS Office documents. Restart all Microsoft 365 and Office 2021 applications immediately to trigger the service-side security fix. For older versions like Office 2016, apply registry workarounds until Microsoft releases a formal patch.
Learn More
Microsoft released emergency out-of-band security updates to fix an actively exploited zero-day vulnerability in Microsoft Office.
The vulnerability is tracked as CVE-2026-21509 (CVSS score 7.8) - A security feature bypass vulnerability in Microsoft Office that allows attackers to circumvent OLE security protections via malicious files. The bug is caused by how Office handles untrusted inputs during security decisions. By exploiting this logic error, attackers can bypass Object Linking and Embedding (OLE) mitigations that normally protect users from dangerous COM and OLE controls.
To exploit the system, an attacker must send a rigged Office file to a target. The attack only works if the user opens the malicious document. Because the Preview Pane is safe, simply viewing the file in a folder does not trigger the exploit.
Microsoft has not yet shared technical details regarding the specific groups or methods used in these attacks.
The flaw impacts Microsoft Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps for Enterprise.
Microsoft is still working on formal patches for older versions like Office 2016 and 2019, promising to release them as soon as possible. For newer versions, a service-side fix is already active but requires a software restart.
Users on Microsoft 365 or Office 2021 and later are protected automatically once they restart their applications. However, users on Office 2016 and 2019 remain at risk until a patch is released. Microsoft recommends these users apply a manual registry workaround:
- Close all Microsoft Office applications.
- Create a backup of the Windows Registry
Open the Windows Registry Editor (regedit.exe) and check see if one of the following Registry keys exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\ (for 64-bit Office, or 32-bit Office on 32-bit Windows) HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\ (for 32-bit Office on 64-bit Windows) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\16.0\Common\COM Compatibility\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\If none of the above keys exist, create a new "COM Compatibility" key under this Registry path by right-clicking on Common and selecting New -> Key.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\- Right-click on the existing or newly created COM Compatibility key and select New -> Key and name it {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}.
- When the new {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} is created, right-click on it, select New -> DWORD (32-bit) Value. Name the new value Compatibility Flags.
- When the Compatibility Flags value is created, double-click on it, make sure the Base option is set to Hexadecimal, and enter 400 in the Value data field.
After performing these steps, the flaw will be mitigated when you next launch an Office application.
