ThreatLevelBeta
Planned Fix

CVE-2026-21514

Word Security Feature Bypass
Loading...

Summary

A local security feature bypass in Microsoft Word (Office) occurs when Word makes security decisions based on untrusted inputs, allowing an attacker to bypass protections. Exploitation requires a user to open a crafted Word document (UI: UI:R) and may enable bypass of OLE/COM mitigations, potentially enabling further malicious action.

Why Planned Fix?

1/6
No authentication required
Deployment unknown
User interaction needed
Default configuration unknown
No active exploitation or PoC
Not a high impact vulnerability

Exploitation Details

Type
Is exploitable with default configuration?
?
Is authentication needed?
No
PoC / Exploit
No
Impact

Bypasses Word's security checks, potentially enabling the execution or activation of malicious controls within a document under the current user context.

Exploitation Requirements
  • A crafted Word document must be opened by a logged-in user
  • local access and user interaction are required (social engineering/phishing deli
Exploitation Process

1) An attacker crafts a Word document that drives Word to perform security decisions using untrusted inputs. 2) A user opens the document, triggering the bypass during Word's security checks. 3) The bypass may allow malicious COM/OLE controls to operate, potentially leading to unintended actions within the host. 4) Exploitation is observed in the wild in some environments targeting Microsoft Word/Office components.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
0

Affected Software

Vendor:Microsoft
ProductAffected Versions
Microsoft 365 Apps for Enterprise; Office Long-Term Servicing Channel (LTSC) 2021 and 2024 (Windows and macOS)365 Apps for Enterprise (Enterprise channel); Office Long-Term Servicing Channel 2021 (Windows x64/x86, macOS) and Office Long-Term Servicing Channel 2024 (Windows x64/x86, macOS)
Description

Office productivity suite including Word; used for creating, editing and viewing documents, spreadsheets, presentations and other business content.

Deployment:
|
Protocol:Local
|
Ports:
Affected ComponentWord's OLE/COM security decision logic where untrusted inputs influence security decisions.

Word's OLE/COM security decision logic where untrusted inputs influence security decisions.

Affected Endpoints(4)https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21514, https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21514…
1.https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21514
2.https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21514
3.https://nvd.nist.gov/vuln/detail/CVE-2026-21514
4.https://www.rapid7.com/db/vulnerabilities/microsoft-office-cve-2026-21514/
Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround

Not available

Patch

Not available

Update

Not available

Threat Intelligence
EPSS data unavailable
CISAKEV
CISA KEV
Not Listed
Active Exploitation
No Evidence
Threat Actors

No known threat actors

Detection Rules6
Other
Word bypass indicators: Word process exhibits abnormal behavior (child processes, macro activity)
Other
Unusual network activity from WINWORD.EXE related to document processing
Other
Unexpected changes to Word security settings or protection policies
Other
Threat hunting resource
Other
Threat hunting resource
Other
Threat hunting resource

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Reliance on untrusted inputs in a security decision in Microsoft Office Word allows an unauthorized attacker to bypass a security feature locally.

CVSS Base Score

7.8
High

CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-807 Reliance on Untrusted Inputs in a Security Decision
|
NVD:CVE-2026-21514
|
Version From:
|
Version Upto:

Affected Software (CPE) (8)

  • cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*
  • cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*
  • cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*
  • cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*
  • cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*
  • cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*
  • cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*
  • cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:macos:*:*

Sources

0

No sources

Priority History

Planned FixLoading...

Initial analysis