Microsoft Pushes Emergency Office Patch for Actively Exploited Zero-Day
Microsoft issued emergency out-of-band security updates to fix a high-severity Office zero-day (CVE-2026-21509) being actively exploited. The flaw affects multiple Office versions, including 2016, 2019, LTSC 2021/2024, and Microsoft 365 Apps for Enterprise, with patches for 2016/2019 not yet available. Exploitation requires user interaction via a malicious Office file, bypassing OLE mitigations. Office 2021+ will be protected via a service-side change (restart required). For older Office versions, Microsoft provides mitigations, including registry changes, to reduce exploitation risk. Additional related fixes were noted from January 2026 Patch Tuesday.