Microsoft urgently released unexpected security updates for Microsoft Office due to the dangerous zero-day vulnerability that is already being used in real attacks. The problem allows bypassing built-in protection mechanisms and can be used through a common malicious document if the user simply opens the file.
The vulnerability received CVE-2026-21509 and affects Microsoft Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024 and Microsoft 365 Apps for Enterprise. According to the company, fixes are already available for new versions of Office, and users of Office 2021 and more recent builds will be protected automatically after restarting applications. The updates for Office 2016 and 2019 have not yet been released and will appear later.
The core of the problem is to bypass the defense mechanisms associated with COM and OLE components. It is enough for the attacker to send a malicious file to the victim and convince them to open the document, after which the attack can be executed locally. Microsoft emphasizes that the preview window is not used as an attack vector, but the user’s interaction with the file remains a key risk factor.
For Office 2016 and 2019 users, the company has proposed temporary measures to reduce the threat through changes in the Windows registry, which, according to Microsoft, can reduce the risk of exploitation before official patches are released. At the same time, details about detection of vulnerability and technical details of attacks were not disclosed by the corporation. The incident became part of a larger wave of urgent updates in January 2026, when Microsoft has already closed dozens of other vulnerabilities, including several heavily exploited zero-day bugs
