The “trust but verify” era of document security has been blindsided by a sophisticated new threat that turns Microsoft’s own integration features against the user.
This week, Microsoft disclosed a critical zero-day vulnerability, CVE-2026-21509, which allows attackers to bypass core Object Linking and Embedding (OLE) security mitigations within the Microsoft Office Suite.
The flaw is actively exploited in the wild, affects most versions of Office, and allows malicious actors to execute unauthorized code when a victim opens a compromised file.
The essentials
- Name of vulnerability: Microsoft Office Security Feature Bypass Vulnerability
- Severity: Important
- ID: CVE-2026-21509
- Affected Software: Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, Microsoft 365 Apps for Enterprise
Microsoft has a solution for the issue that is applied automatically in some cases and requires an update in others.
In short: If Office 2016 or 2019 is used, an update is required to patch the vulnerability. All newer versions of Office do not require an update, as Microsoft is adding the protection using a service-side change. However, Office needs to be restarted before this protection is applied.
Downloads, if necessary, are provided on the official Update Guide website linked above (under ID).
Microsoft published mitigations as well, but these are not really required, unless updates can’t be installed immediately. The mitigations require Registry edits and as such a restart before they protect the application from potential exploits.