Emergency patch fixes active Microsoft Office zero-day CVE-2026-21509

January 27, 2026 at 03:03 PM

•

1 min read

Emergency patch fixes active Microsoft Office zero-day CVE-2026-21509 — Photo: The Hacker News

TL;DR Summary

Microsoft issued an out-of-band fix for a high-severity Office zero-day (CVE-2026-21509) that enables a local security feature bypass when users open a specially crafted Office file; exploitation requires user interaction, and the Preview Pane is not a vector. Office 2021+ patches will apply automatically with a service-side change but require restarting Office apps, while Office 2016/2019 users must install specific updates. A registry workaround is provided as mitigation. The flaw has been added to the CISA Known Exploited Vulnerabilities catalog, with federal agencies required to patch by February 16, 2026. Credit goes to MSTIC, MSRC, and the Office security team.

Topics:technology #cve-2026-21509 #kev-catalog #microsoft-office #out-of-band-patch #security #zero-day

Share this article

Microsoft Office Zero-Day (CVE-2026-21509) - Emergency Patch Issued for Active Exploitation The Hacker News
Microsoft patches actively exploited Office zero-day vulnerability BleepingComputer
Microsoft patches serious Office zero-day vulnerability already being exploited in attacks Neowin
Office zero-day exploited in the wild forces Microsoft OOB patch theregister.com
Microsoft patches Office zero-day, Blackmoon targets Indian users, Konni targets blockchain devs CISO Series

Reading Insights

Total Reads

Unique Readers

Time Saved

2 min

vs 3 min read

Condensed

77%

426 → 100 words

Want the full story? Read the original article

Read on The Hacker News

JavaScript Required

tl;dr daily news requires JavaScript to be enabled. Please enable JavaScript in your browser settings.

Related Sources

Reading Insights