"The vulnerability, tracked as CVE-2026-21509, carries a CVSS score of 7.8 out of 10.0. It has been described as a security feature bypass in Microsoft Office. "Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally," the tech giant said in an advisory. "This update addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office, which protect users from vulnerable COM/OLE controls.""
"As mitigation, the company is urging that customers make a Windows Registry change by following the steps outlined below - Take a backup of the Registry Exit all Microsoft Office applications Start the Registry Editor Locate the proper registry subkey - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\ for 64-bit MSI Office or 32-bit MSI Office on 32-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\ for 32-bit MSI Office on 64-bit Windows HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software"
Microsoft issued out-of-band security patches for a high-severity Microsoft Office zero-day vulnerability, CVE-2026-21509, with a CVSS score of 7.8. The flaw is a security feature bypass caused by reliance on untrusted inputs that can allow a local attacker to evade defenses. The update closes an issue that bypasses OLE mitigations in Microsoft 365 and Office protecting against vulnerable COM/OLE controls. Exploitation requires a specially crafted Office file and a recipient opening it; the Preview Pane is not an attack vector. Office 2021 and later receive automatic service-side protection after restarting Office; Office 2016 and 2019 require specific updates. Microsoft recommends backing up the Registry and applying a registry-change mitigation if needed.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]