Microsoft has released an emergency fix for an actively-exploited zero-day vulnerability affecting Microsoft Office.
The vulnerability, CVE-2026-21509, is labeled a Microsoft Office Security Feature Bypass vulnerability that exploits the software weakness CWE-807 (Reliance on Untrusted Inputs in a Security Decision).
Microsoft doesn’t say what threat actor is exploiting the vulnerability or how it’s being exploited, and doesn’t even acknowledge the researchers who discovered the vulnerability, but the software giant’s advisory includes lengthy mitigation guidance for users of Office 2016 and 2019, who must wait for a forthcoming Microsoft emergency fix.
Microsoft Emergency Fix for Office 2016 and 2019 Coming Soon
Microsoft said that customers on Office 2021 and later “will be automatically protected via a service-side change, but will be required to restart their Office applications for this to take effect.”
Office 2016 and 2019 customers will have to wait for a forthcoming security update, but can protect themselves by applying registry keys as instructed (included below). Office Client 2016 and 2019 updates “will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE,” Microsoft said.
The 7.8-rated vulnerability requires user interaction to be exploited. An attacker would have to send a malicious Office file and convince users to open it for an exploit to be successful. It is the second actively exploited zero-day vulnerability fixed by Microsoft this month, following CVE-2026-20805 fixed on Patch Tuesday. Microsoft has also released out-of-band Windows and Windows Server fixes this month for Windows and Outlook bugs.
Microsoft said the new CVE-2026-21509 fix addresses a vulnerability that bypasses OLE (Object Linking and Embedding) mitigations in Microsoft 365 and Microsoft Office that protect users from vulnerable COM (Component Object Model)/OLE controls. COM/OLE is the framework that allows content from one application to be integrated into another, such as from an Excel spreadsheet into a Word document. The Preview Pane is not an attack vector, Microsoft noted.
Office 2016 and 2019 Mitigations
Microsoft said Office 2016 and 2019 customers can apply registry keys as described for immediate protection. Microsoft recommends first backing up your registry and exiting all Microsoft Office applications.
Start the Registry Editor by tapping Start or pressing the Windows key on your keyboard, then typing regedit and pressing enter.
Step 1
Locate the proper registry subkey. It will be one of the following:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\ (for 64-bit MSI Office, or 32-bit MSI Office on 32-bit Windows)
or
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\ (for 32-bit MSI Office on 64-bit Windows)
or
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\16.0\Common\COM Compatibility\ (for 64-bit Click2Run Office, or 32-bit Click2Run Office on 32-bit Windows)
or
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\ (for 32-bit Click2Run Office on 64-bit Windows)
Note: The COM Compatibility node may not be present by default and may need to be added by right-clicking the Common node and choosing Add Key.
Step 2
Add a new subkey named {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} by right-clicking the COM Compatibility node and choosing Add Key.
Within that new subkey, add one new value by right-clicking the new subkey and choose New > DWORD (32-bit) Value, naming the new REG_DWORD value Compatibility Flags and assigning it a value of 400.
Exit Registry Editor and start your Office application.
Microsoft offered the following example:
In Office 2016, 64-bit, on Windows you would locate this registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\
If the COM Compatibility node doesn’t exist, you’ll need to create it.
Then add a subkey with the name {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}.
The resulting path in this case is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}.
To that subkey, add a REG_DWORD value called Compatibility Flags with a value of 400.
