Microsoft releases emergency patches for Office zero-day vulnerability

Microsoft has released emergency out-of-band security updates to patch a high-severity zero-day vulnerability in Microsoft Office that is being actively exploited in attacks.

The vulnerability, tracked as CVE-2026-21509, is a security feature bypass that affects multiple versions of Office, including Microsoft Office 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, and Microsoft 365 Apps for Enterprise.

Vulnerability and Patch Details

The vulnerability allows an unauthenticated attacker to bypass a security feature locally. To exploit the flaw, the attacker must convince the user to open a malicious Office file, although the preview pane is not a direct attack vector. Exploitation requires low complexity and user interaction.

Although security updates are available for most versions of Office, Microsoft has notified that patches for Microsoft Office 2016 and Office 2019 are not yet available. The company is working to release them as soon as possible.

Mitigation Measures for Office Users 2016/2019

While the final patches for Office 2016 and 2019 have not arrived, Microsoft has provided a mitigation measure by modifying the Windows registry that “could reduce the severity of the exploit.”

Steps to apply logging mitigation:

1. Close all Microsoft Office applications.
2. Open Windows Registry Editor (regedit.exe).
3. Locate the COM compatibility registry key for your version of Office. Common routes are:
   • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\ (For 64-bit Office or 32-bit Office on 32-bit Windows)
   • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\ (For 32-bit Office on 64-bit Windows)
   • Or ClickToRun paths: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\16.0\Common\COM Compatibility\ (For Office ClickToRun 64-bit) and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\ (For 32-bit Office ClickToRun on 64-bit).
4. If the “COM Compatibility” key does not exist, create it manually under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\.
5. Create a new subkey under “COM Compatibility” and name it {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}.
6. Inside the new key {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}, create a new DWORD (32-bit) value called Compatibility Flags.
7. Assign the value 400 to the “Value data” field of Compatibility Flags.

Once these steps are completed, the failure will be mitigated the next time an Office application is started.

Recent Security Context

This zero-day vulnerability adds to Microsoft’s security concerns in January 2026. Previously, during this month’s Patch Tuesday, Microsoft fixed 114 bugs, including another actively exploited zero-day (an information disclosure vulnerability in Desktop Window Manager) and two publicly disclosed zero-day vulnerabilities.

Additionally, Microsoft released out-of-band updates last week to fix issues caused by the January Patch Tuesday updates, such as crashes with Windows shutdown and Cloud PC functionality, and an issue that caused the classic Outlook client to freeze.

References

• CVE-2026-21509: Security feature bypass vulnerability in Microsoft Office.