Microsoft on Monday issued out-of-band safety patches for a high-severity Microsoft Workplace zero-day vulnerability exploited in assaults.
The vulnerability, tracked as CVE-2026-21509, carries a CVSS rating of seven.8 out of 10.0. It has been described as a safety characteristic bypass in Microsoft Workplace.
“Reliance on untrusted inputs in a safety resolution in Microsoft Workplace permits an unauthorized attacker to bypass a safety characteristic regionally,” the tech big stated in an advisory.
“This replace addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Workplace, which shield customers from susceptible COM/OLE controls.”
Profitable exploitation of the flaw depends on an attacker sending a specifically crafted Workplace file and convincing recipients to open it. It additionally famous that the Preview Pane is just not an assault vector.
The Home windows maker stated clients operating Workplace 2021 and later can be robotically protected through a service-side change, however can be required to restart their Workplace functions for this to take impact. For these operating Workplace 2016 and 2019, it is required to put in the next updates –
- Microsoft Workplace 2019 (32-bit version) – 16.0.10417.20095
- Microsoft Workplace 2019 (64-bit version) – 16.0.10417.20095
- Microsoft Workplace 2016 (32-bit version) – 16.0.5539.1001
- Microsoft Workplace 2016 (64-bit version) – 16.0.5539.1001
As mitigation, the corporate is urging that clients make a Home windows Registry change by following the steps outlined beneath –
- Take a backup of the Registry
- Exit all Microsoft Workplace functions
- Begin the Registry Editor
- Find the correct registry subkey –
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftOffice16.0CommonCOM Compatibility for 64-bit MSI Workplace or 32-bit MSI Workplace on 32-bit Home windows
- HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeMicrosoftOffice16.0CommonCOM Compatibility for 32-bit MSI Workplace on 64-bit Home windows
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftOfficeClickToRunREGISTRYMACHINESoftwareMicrosoftOffice16.0CommonCOM Compatibility for 64-bit Click2Run Workplace or 32-bit Click2Run Workplace on 32-bit Home windows
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftOfficeClickToRunREGISTRYMACHINESoftwareWOW6432NodeMicrosoftOffice16.0CommonCOM Compatibility for 32-bit Click2Run Workplace on 64-bit Home windows
- Add a brand new subkey named {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} by right-clicking the COM Compatibility node and selecting Add Key.
- Inside that subkey, add new worth by right-clicking the brand new subkey and selecting New > DWORD (32-bit) Worth
- Add a REG_DWORD hexadecimal worth referred to as ”Compatibility Flags” with a price of 400
- Exit Registry Editor and begin the Workplace software
Microsoft has not shared any particulars in regards to the nature and the scope of assaults exploiting CVE-2026-21509. It credited the Microsoft Risk Intelligence Middle (MSTIC), Microsoft Safety Response Middle (MSRC), and Workplace Product Group Safety Crew for locating the problem.
The event has prompted the U.S. Cybersecurity and Infrastructure Safety Company (CISA) to add the flaw to its Recognized Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Government Department (FCEB) businesses to use the patches by February 16, 2026.
