Office off-cycle patch fixes CVE-2026-21509: vulnerability that already allowed to avoid COM / OLE protections and facilitate targeted attacks

Microsoft launched an off-cycle patch to correct a high-gravity vulnerability in Microsoft Office that is already being used in targeted attacks. Identified as CVE-2026-21509, the failure has a CVSS score of 7.8 / 10 and is classified as an omission in Office security protections that allows to circumvent mechanisms designed to block unsafe COM / OLE controls.

In simple terms, an attacker can send a manipulated Office file and, if the victim opens it, vulnerability can allow certain defenses that usually block vulnerable OLE components to be skipped. Microsoft has expressly pointed out that Preview Pane does not serve as an attack vector for this failure, so successful exploitation depends on getting the user to open the malicious document with the Office application.

The company has published a technical notice with details and mitigation, and has attributed it to the joint work of the Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC) and the security team of the Office product group. You can see the official guide on the Microsoft page for the CVE here: msrc.microsoft.com / update-guide / CVE-2026-21509.

Microsoft has applied a service side correction for customers using Office 2021 and later versions, which means that these users are protected without having to install a local patch, although it is necessary to restart Office applications for changes to take effect. For older facilities, such as Office 2016 and 2019, Microsoft has published concrete buildings that must be installed to close the gap; those who depend on these versions must review and install the corresponding updates according to their editing and architecture.

If for any reason it is not possible to apply the updates immediately, Microsoft proposes a mitigation based on a modification of the Windows Registry. Before playing anything, the company recommends to back up the register; Microsoft explains the procedure to save and restore the Register on this support page: How to back up and restore the Register. The mitigation involves closing all Office applications, opening the Registry Editor and creating a new compatibility key within the Office installation branch (the routes vary if it is an MSI or Click-to-Run installation and depending on whether Windows is 32 or 64 bits). Within that key, you have to add a REG _ DWORD value called "Compatibility Flags" with the hexadecimal value 0x400; when you finish, close the Registry editor and start the Office application again so that the measure will have effect.

If you want to better understand why it affects OLE components and what these mitigation are, there are resources that explain the functioning of OLE and why COM / OLE controls are a frequent vector of exploitation: a good starting point is the technical explanation of OLE mitigation on security platforms like Huntress: What is OLE?.

Microsoft has not published detailed details on how many campaigns or how far the attacks have already used this vulnerability, but the gravity and existence of real holdings were sufficient for the US Infrastructure and Cybersecurity Agency (CISA) to include the failure in its catalogue of Known Vulnerabilities Exploited (KEV). This inclusion requires U.S. civil federal agencies to apply the corrections before a deadline set by CISA; the official notice of inclusion is available here: CISA adds vulnerability to the KEV catalogue and the public catalogue can be consulted at Known Exploited Vulnerabilities (KEV).

For managers and security officials, the recommendation is double: prioritize the installation of updates published by Microsoft and, while they are applied, assess the mitigation of the Register in environments where the update is not immediately feasible. In addition, traditional preventive measures should be strengthened: filtering attachments and active content in the mail, educating users not to open unverified shipping documents and monitoring signs of unusual activity in endpoints that may be related to Office processes.

In an ecosystem where documents remain a favorite vector for intrusions, this correction recalls that the risk persists and that keeping the software updated remains the most effective defense. Keep an eye on official communiqués and apply recommended updates as soon as possible.