Once again, Microsoft was forced to quickly fix some flaws.
The company has released unscheduled patches for Microsoft Office, addressing a dangerous zero-day vulnerability that has already been exploited in cyberattacks. The issue, identified as CVE-2026-21509, affects several versions of the Office suite: Office 2016, Office 2019, Office LTSC 2021 and 2024, as well as Microsoft 365 Apps for Enterprise.
The vulnerability allows bypassing Office security mechanisms responsible for blocking malicious COM/OLE components.
The attack itself is fairly simple: the attacker simply needs to send the user a malicious document and convince them to open it. Human intervention is essential, but technically the whole thing seems incredibly simple.
The good news is that users of Office 2021 and later are already automatically protected: Microsoft has patched the vulnerability. However, the changes will only take effect after restarting Office applications.
However, owners of Office 2016 and 2019 will be out of luck: patches for these versions are not yet ready, and the company promises to release them “soon.”
To mitigate the risk , Microsoft has proposed a temporary solution : manual configuration via the Windows Registry. This measure seems complex, but essentially it boils down to adding a special compatibility flag to the vulnerable COM component.
After that, protection will be activated the next time you start Office. The company specifically emphasizes that it’s recommended to back up the registry before modifying it, otherwise you could cause even more serious problems than initially anticipated.
Microsoft did not disclose details about how the vulnerability was exploited or who discovered it.
However, the story fits well with the general pattern of January: as part of Patch Tuesday 2026, the company has already fixed 114 vulnerabilities, including another actively exploited zero-day, and also released several unscheduled updates for bugs in Windows and Outlook.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
