Microsoft has launched emergency out-of-band safety updates to patch a high-severity Microsoft Workplace zero-day vulnerability exploited in assaults.
The safety function bypass vulnerability, tracked as CVE-2026-21509, impacts a number of Workplace variations, together with Microsoft Workplace 2016, Microsoft Workplace 2019, Microsoft Workplace LTSC 2021, Microsoft Workplace LTSC 2024, and Microsoft 365 Apps for Enterprise (the corporate’s cloud-based subscription service).
Nonetheless, as famous in at present’s advisory, safety updates for Microsoft Workplace 2016 and 2019 aren’t but accessible and can be launched as quickly as doable.
Whereas the preview pane isn’t an assault vector, unauthenticated native attackers can nonetheless efficiently exploit the vulnerability via low-complexity assaults that require consumer interplay.
“Reliance on untrusted inputs in a safety determination in Microsoft Workplace permits an unauthorized attacker to bypass a safety function domestically. An attacker should ship a consumer a malicious Workplace file and persuade them to open it,” Microsoft defined.
“This replace addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Workplace which defend customers from susceptible COM/OLE controls.”
“Clients on Workplace 2021 and later can be mechanically protected through a service-side change, however can be required to restart their Workplace functions for this to take impact,” it added.
Though Workplace 2016 and 2019 aren’t instantly patched towards assaults, Microsoft has offered complicated mitigation measures that would “cut back the severity of exploitation.”
We’ve tried to clear this up with our directions under:
- Shut all Microsoft Workplace functions.
- Create a backup of the Home windows Registry, as incorrectly enhancing it may well trigger points with the working system.
- Open the Home windows Registry Editor (regedit.exe) by clicking on the Begin menu and typing regedit, after which urgent Enter when it seems within the search outcomes.
- When open, use the deal with bar on the high to see if one of many following Registry keys exists:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOffice16.0CommonCOM Compatibility (for 64-bit Workplace, or 32-bit Workplace on 32-bit Home windows) HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeMicrosoftOffice16.0CommonCOM Compatibility (for 32-bit Workplace on 64-bit Home windows) HKEY_LOCAL_MACHINESOFTWAREMicrosoftOfficeClickToRunREGISTRYMACHINESoftwareMicrosoftOffice16.0CommonCOM Compatibility HKEY_LOCAL_MACHINESOFTWAREMicrosoftOfficeClickToRunREGISTRYMACHINESoftwareWOW6432NodeMicrosoftOffice16.0CommonCOM Compatibility
If one of many above keys doesn’t exist, create a brand new “COM Compatibility” key below this Registry path by right-clicking on Frequent and deciding on New -> Key.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOffice16.0Common - Now right-click on the present or newly created COM Compatibility key and choose New -> Key and identify it {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}.
- When the brand new {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} is created, right-click on it, choose New -> DWORD (32-bit) Worth. Title the brand new worth Compatibility Flags.
- When the Compatibility Flags worth is created, double-click on it, ensure the Base choice is ready to Hexadecimal, and enter 400 within the Worth information area.
After performing these steps, the flaw can be mitigated while you subsequent launch an Workplace utility.
Microsoft has not shared who found the vulnerability or any particulars on how it’s exploited, and a spokesperson was not instantly accessible for remark when contacted by BleepingComputer earlier at present.
Earlier this month, as a part of the January 2026 Patch Tuesday, Microsoft issued safety updates for 114 flaws, together with one actively exploited and two publicly disclosed zero-day bugs.
The opposite actively exploited zero-day patched this month is an info disclosure flaw within the Desktop Window Supervisor, tagged by Microsoft as “vital severity,” that may let attackers to learn reminiscence addresses related to the distant ALPC port.
Final week, Microsoft additionally launched a number of out-of-band Home windows updates to repair shutdown and Cloud PC bugs triggered by the January Patch Tuesday updates, in addition to one other set of emergency updates to deal with a problem inflicting the basic Outlook e mail consumer to freeze or cling.
Whether or not you are cleansing up previous keys or setting guardrails for AI-generated code, this information helps your group construct securely from the beginning.
Get the cheat sheet and take the guesswork out of secrets and techniques administration.
