ThreatLevelBeta
Planned Fix

CVE-2026-21509

Microsoft Office security feature bypass
Loading...

Summary

Microsoft Office has a security feature bypass in its OLE/COM handling. A crafted Office document can trick Office into trusting untrusted input and loading a COM or OLE object that should be blocked, which is useful in phishing-style attacks after a victim opens the file. In affected unpatched builds, this can enable malicious payload delivery and lead to code execution.

Why Planned Fix?

4/6
No authentication required
Internal deployment
User interaction needed
Exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
Unknown
Is exploitable with default configuration?
Yes
Is authentication needed?
No
PoC / Exploit
Yes
github.com
Impact

Bypass Office security checks and load malicious COM/OLE content that can deliver code execution.

RCE (Remote Code Execution)
Exploitation Requirements
  • Victim opens a crafted Office document
  • affected Office version is unpatched or before service-side protection takes eff
  • no special privileges required
Exploitation Process

An attacker sends a crafted Office document, commonly an RTF or DOC file, that contains or references a vulnerable COM/OLE object. When the victim opens the file in Office, the security decision flaw causes Office to treat the untrusted content as allowed and load the blocked object. The attacker then uses that allowed object to continue the infection chain and deliver a payload.

Detection Resources
Manual Detection
decalage.info
1
Script Detection
gist.github.comgist.github.com
2
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Microsoft
ProductAffected Versions
Microsoft Office 2016versions prior to 16.0.5539.1001
Microsoft Office 2019versions prior to 16.0.10417.20095
Microsoft Office LTSC 2021all supported versions
Microsoft Office LTSC 2024all supported versions
Microsoft 365 Apps for enterpriseall supported versions
Description

Desktop productivity suite for creating and editing documents, spreadsheets, presentations, email, and related Office file formats.

Deployment:Typically internal
|
Protocol:Local file
|
Ports:
Affected ComponentOffice document security decision logic for linked or embedded OLE/COM objects in Word and related Office apps.

Office document security decision logic for linked or embedded OLE/COM objects in Word and related Office apps.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround
Use Microsoft's Office COM kill-bit / COM compatibility registry mitigation to block the vulnerable COM object until patching is complete.

Use Microsoft's Office COM kill-bit / COM compatibility registry mitigation to block the vulnerable COM object until patching is complete.

support.microsoft.com
Patch

Not available

Update
Install Microsoft's January 26, 2026 Office security update. Office 2016 needs KB5002713 and build 16.0.5539.1001 or later; Office 2019 needs build 16.0.10417.20095 or later. Microsoft 365 Apps and Office LTSC 2021/2024 receive a service-side fix and require an Office restart.

Install Microsoft's January 26, 2026 Office security update. Office 2016 needs KB5002713 and build 16.0.5539.1001 or later; Office 2019 needs build 16.0.10417.20095 or later. Microsoft 365 Apps and Office LTSC 2021/2024 receive a service-side fix and require an Office restart.

msrc.microsoft.com
Threat Intelligence
EPSS Score7.5%

Probability of exploitation in the next 30 days

EPSS Percentile92%

Worse than 92% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Listed
Loading...
Active Exploitation
Active
zscaler.com
Threat Actors1
APT28 (Fancy Bear/UAC-0001)

Russian-linked group targeting Ukrainian, Slovak, Romanian, and other Central/Eastern European government and diplomatic users

Detection Rules2
Yara
RTF_with_potential_CVE_2026_21509_exploit
Other
Scan Office files for Shell.Explorer OLE objects or external relationships that can trigger the legacy IE engine

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.

CVSS Base Score

7.8
High

CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-807 Reliance on Untrusted Inputs in a Security Decision
|
NVD:CVE-2026-21509
|
Version From:
|
Version Upto:

Affected Software (CPE) (10)

  • cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*
  • cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*
  • cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x64:*
  • cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x86:*
  • cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*
  • cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*
  • cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*
  • cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*
  • cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*
  • cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*

Sources

7
SourceArticle
nvd.nist.govNVD - CVE-2026-21509 Detail
msrc.microsoft.comCVE-2026-21509 - Security Update Guide
support.microsoft.comDescription of the security update for Office 2016: January 26, 2026 (KB5002713)
support.microsoft.comSecurity Settings for COM objects in Office
zscaler.comOperation Neusploit: APT28 Uses CVE-2026-21509
decalage.infoPosts | >> Decalage
tenable.comCVE-2026-21509 Plugins

Priority History

Planned FixLoading...

Initial analysis