Actively exploited Microsoft Office zero-day fixed

Emergency security updates have been released by Microsoft to remediate the actively exploited Office security feature bypass zero-day, tracked as CVE-2026-21509, Security Affairs reports.

Microsoft Office LTSC 2024, Office LTSC 2021, Office 2019, and Office 2016, as well as Microsoft 365 Apps for Enterprise, are affected by the vulnerability, which could be leveraged to circumvent Office and Microsoft 365 OLE security defenses and result in vulnerable COM/OLE control exposure.

"Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally. An attacker must send a user a malicious Office file and convince them to open it," said Microsoft, which emphasized that the issue does not impact the Office Preview Pane.

While a service-side fix automatically secures Office 2021 and later instances, organizations using Office 2016 and Office 2019 have been urged to either apply the update or seek a registry change to avert weak COM/OLE controls.