Microsoft has released out-of-band security updates to address a critical zero-day vulnerability in Microsoft Office that has been exploited in the wild.
The flaw, tracked as CVE-2026-21509, is a security feature bypass issue affecting multiple Office products, including Microsoft Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Microsoft 365 Apps for Enterprise.
According to Microsoft, patches are currently available for most supported versions, but updates for Office 2016 and Office 2019 have not yet been released and will be provided as soon as possible. While the vulnerability cannot be exploited through the Preview Pane, Microsoft warned that unauthenticated local attackers could still successfully exploit the issue via low-complexity attacks that require user interaction.
“Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally,’ Microsoft said in its advisory.
“Customers on Office 2021 and later will be automatically protected via a service-side change, but will be required to restart their Office applications for this to take effect,” the company added. “Customers on Office 2016 and 2019 are not protected until they install the upcoming security update.”
Microsoft has not disclosed any details regarding the nature of the exploitation.
Earlier this month, the vendor addressed an actively exploited information disclosure vulnerability (CVE-2026-20805), which impacts the Windows Desktop Window Manager. A successful exploit allows an attacker to read memory addresses associated with a remote Advanced Local Procedure Call (ALPC) port.