Microsoft on Monday issued out-of-band safety patches for a high-severity Microsoft Workplace zero-day vulnerability exploited in assaults.
The vulnerability, tracked as CVE-2026-21509, carries a CVSS rating of seven.8 out of 10.0. It has been described as a safety function bypass in Microsoft Workplace.
“Reliance on untrusted inputs in a safety resolution in Microsoft Workplace permits an unauthorized attacker to bypass a safety function regionally,” the tech large mentioned in an advisory.
“This replace addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Workplace, which shield customers from weak COM/OLE controls.”
Profitable exploitation of the flaw depends on an attacker sending a specifically crafted Workplace file and convincing recipients to open it. It additionally famous that the Preview Pane isn’t an assault vector.
The Home windows maker mentioned prospects operating Workplace 2021 and later will probably be mechanically protected through a service-side change, however will probably be required to restart their Workplace functions for this to take impact. For these operating Workplace 2016 and 2019, it is required to put in the next updates –
- Microsoft Workplace 2019 (32-bit version) – 16.0.10417.20095
- Microsoft Workplace 2019 (64-bit version) – 16.0.10417.20095
- Microsoft Workplace 2016 (32-bit version) – 16.0.5539.1001
- Microsoft Workplace 2016 (64-bit version) – 16.0.5539.1001
As mitigation, the corporate is urging that prospects make a Home windows Registry change by following the steps outlined under –
- Take a backup of the Registry
- Exit all Microsoft Workplace functions
- Begin the Registry Editor
- Find the correct registry subkey –
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftOffice16.0CommonCOM Compatibility for 64-bit MSI Workplace or 32-bit MSI Workplace on 32-bit Home windows
- HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeMicrosoftOffice16.0CommonCOM Compatibility for 32-bit MSI Workplace on 64-bit Home windows
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftOfficeClickToRunREGISTRYMACHINESoftwareMicrosoftOffice16.0CommonCOM Compatibility for 64-bit Click2Run Workplace or 32-bit Click2Run Workplace on 32-bit Home windows
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftOfficeClickToRunREGISTRYMACHINESoftwareWOW6432NodeMicrosoftOffice16.0CommonCOM Compatibility for 32-bit Click2Run Workplace on 64-bit Home windows
- Add a brand new subkey named {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} by right-clicking the COM Compatibility node and selecting Add Key.
- Inside that subkey, add new worth by right-clicking the brand new subkey and selecting New > DWORD (32-bit) Worth
- Add a REG_DWORD hexadecimal worth referred to as ”Compatibility Flags” with a price of 400
- Exit Registry Editor and begin the Workplace software
Microsoft has not shared any particulars in regards to the nature and the scope of assaults exploiting CVE-2026-21509. It credited the Microsoft Menace Intelligence Middle (MSTIC), Microsoft Safety Response Middle (MSRC), and Workplace Product Group Safety Workforce for locating the problem.
The event has prompted the U.S. Cybersecurity and Infrastructure Safety Company (CISA) to add the flaw to its Identified Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Government Department (FCEB) businesses to use the patches by February 16, 2026.
