Urgent Security Patch Released for Widespread Office Software Vulnerability
An immediate security patch has been released to address a critical vulnerability in a popular office software suite. The flaw, known technically as CVE-2026-21509, holds a severity score of 7.8 on a scale of 10. This vulnerability is characterized as a bypass of a security feature within the software suite.
The flaw allows malicious actors to bypass security features by leveraging untrusted inputs in a security decision within the software. This breach would enable the threat actor to exploit the software's Object Linking and Embedding (OLE) protections, which are designed to safeguard users from vulnerable Component Object Model (COM) or OLE controls.
How is the Vulnerability Exploited?
The attacker would need to craft a specific file using the office software and convince the recipient to open it to successfully exploit this vulnerability. It's important to note that the Preview Pane is not a potential avenue for attack.
Who is Protected and How?
Users of the office software versions 2021 and newer will automatically receive protection through a service-side change. However, these users will need to restart their software applications for the change to take effect. Users of the software versions 2016 and 2019 will need to manually install the following updates:
- 2019 version (32-bit) - 16.0.10417.20095
- 2019 version (64-bit) - 16.0.10417.20095
- 2016 version (32-bit) - 16.0.5539.1001
- 2016 version (64-bit) - 16.0.5539.1001
Suggested Mitigation Steps
In addition to the updates, the software company is recommending users to make a specific Windows Registry change. Here are the steps to follow:
- Backup the Registry
- Close all software applications
- Open the Registry Editor
- Locate the correct registry subkey
- Add a new subkey named {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} by right-clicking the COM Compatibility node and choosing Add Key
- In the new subkey, add a new value by right-clicking the subkey and choosing New > DWORD (32-bit) Value
- Add a REG_DWORD hexadecimal value called "Compatibility Flags" with a value of 400
- Close Registry Editor and restart the software application
The software company has yet to disclose specific information on the nature and extent of attacks exploiting CVE-2026-21509. The discovery of the issue was credited to the software company's internal security teams.
Government Agency's Response
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has responded to the development by adding the flaw to its Known Exploited Vulnerabilities (KEV) catalog. It has instructed Federal Civilian Executive Branch (FCEB) agencies to apply the patches no later than February 16, 2026.