Microsoft releases emergency patches for Office zero-day vulnerability
Microsoft has released emergency out-of-band security updates to patch a high-severity zero-day vulnerability in Microsoft Office that is being actively exploited in attacks. The vulnerability, tracked as CVE-2026-21509, is a security feature bypass that affects multiple versions of Office, including Microsoft Office 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, and Microsoft 365 Apps for Enterprise. Vulnerability and Patch Details The vulnerability allows an unauthenticated attacker to bypass a security feature locally. To exploit the flaw, the attacker must convince the user to open a malicious Office file, although the preview pane is not a direct attack vector. Exploitation requires low complexity and user interaction. ...