Microsoft has acknowledged the existence of an actively exploited zero day vulnerability in its Office suite. The company has also released a fix for the flaw, which is tracked as CVE-2026-21509.
Described as a “Microsoft Office Security Feature Bypass Vulnerability”, it has been assigned a severity rating of Important. This is in part because of the fact that active exploitation has been observed.
In a post to the Microsoft Security Response Center (MSRC), the company provides the following summary of the vulnerability: “Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally”.
The vulnerability is exploited by compelling a victim to open a malicious Office document, and it is Microsoft Office 2016 and Microsoft Office 2019 that are affected – including various editions of each version.
In a list of frequently asked questions about the issue, Microsoft says:
According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?
An attacker must send a user a malicious Office file and convince them to open it.
Are the updates for Microsoft Office 2016 and 2019 currently available?
Yes. As of January 26, 2026, the security update for Microsoft Office 2016 and 2019 is available. Customers running Microsoft Office 2016 and 2019 should ensure the update is installed to be protected from this vulnerability.
How do I know what version of Office I am running?
On January 26 2026, Microsoft released build number 16.0.10417.20095 to address this vulnerability.
To see what version you have installed:
- In a document click the File tab.
- Click Account in the left hand pane.
- Click About . The top line of the About dialog box will display the Build number.
What kind of security feature could be bypassed by successfully exploiting this vulnerability?
This update addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls.
Is the Preview Pane an attack vector for this vulnerability?
No, the Preview Pane is not an attack vector.
Microsoft also provides the following information about the vulnerability:
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability.
The following mitigating factors might be helpful in your situation:
Customers running Office 2021 and later will be automatically protected via a service-side change, but will be required to restart their Office applications for this to take effect.
Customers running Office 2016 and 2019 are not protected until they install the security update. Customers on these versions can apply the registry keys described as follows to be immediately protected.
Microsoft Office:
- To start blocking please add the following registry keys:
Caution: Follow these steps carefully. Serious problems may occur if you modify the registry incorrectly. Before you start we recommend that you have a known good backup of your registry. See this article for more information: https://support.microsoft.com/en-us/help/322756/how-to-back-up-and-restore-the-registry-in-windows
Exit all Microsoft Office applications. Start the Registry Editor by tapping Start (or pressing the Windows key on your keyboard) then typing regedit and pressing enter.
- Locate the proper registry subkey. It will be one of the following:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOffice16.0CommonCOM Compatibility (for 64-bit MSI Office, or 32-bit MSI Office on 32-bit Windows)
or
HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeMicrosoftOffice16.0CommonCOM Compatibility (for 32-bit MSI Office on 64-bit Windows)
or
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOfficeClickToRunREGISTRYMACHINESoftwareMicrosoftOffice16.0CommonCOM Compatibility (for 64-bit Click2Run Office, or 32-bit Click2Run Office on 32-bit Windows)
or
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOfficeClickToRunREGISTRYMACHINESoftwareWOW6432NodeMicrosoftOffice16.0CommonCOM Compatibility (for 32-bit Click2Run Office on 64-bit Windows)
Note: The COM Compatibility node may not be present by default. If you don’t see it, add it by right-clicking the Common node and choosing Add Key.
- Add a new subkey named {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} by right-clicking the COM Compatibility node and choosing Add Key.
Within that new subkey we’re going to add one new value by right-clicking the new subkey and choosing New > DWORD (32-bit) Value.
A REG_DWORD hexadecimal value called Compatibility Flags with a value of 400.
Exit Registry Editor and start your Office application.
Example
For example, in Office 2016, 64-bit, on Windows you would locate this registry key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOffice16.0CommonCOM Compatibility
Note: Remember, if the COM Compatibility node doesn’t exist yet you’ll need to create it.
Then add a subkey with the name {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}.
In this case, the resulting path is HKEY_LOCAL_MACHINESOFTWAREMicrosoftOffice16.0CommonCOM Compatibility{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}.
To that subkey you’ll add a REG_DWORD value called Compatibility Flags with a value of 400.
There are various pieces of good news here, not least of which is that Microsoft has produced fixes (users just need to make sure that they have installed all available updates for their version of Office). Additionally, the fact that it is older versions of Office that are affected helps to minimize the impact of the flaw.
Image credit: Alexey Novikov / Dreamstime.com
![life-after-devops-—-the-new-initiatives-challenging-the-status-quo-[q&a]](https://thetechbriefs.com/wp-content/uploads/2025/10/73164-life-after-devops-the-new-initiatives-challenging-the-status-quo-qa.jpg)