Update on CVE-2026-21509: The vulnerability is being actively exploited, affects multiple Office product lines, and there is now clearer information on patch status and the registry mitigation recommended by Microsoft.<\/p>\n
The scope for CVE-2026-21509 is now consistent: Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Microsoft 365 Apps for Enterprise are affected. Details and the CISA KEV due date can be verified via the NVD<\/a>.<\/p>\n For patch status, distinguishing by product line is crucial. For Office 2016, there is a security update KB5002713<\/a>, which explicitly applies only to MSI-based installations. For volume-licensed Office 2019 installations, a new build 10417.20095 with release date January 26, 2026 is documented in the Office update history<\/a>. According to the guidance, Office 2021 and later are protected via a service-side change that becomes effective after restarting the Office apps.<\/p>\n If patching is not possible in the short term, a mitigation described by Microsoft can reduce exploitability. In the Office COM Compatibility context, it blocks the CLSID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} with the value Compatibility Flags = 0x400 (hex). A clear walkthrough of the relevant paths and steps can be found in the analysis by BleepingComputer<\/a>. Registry changes should be tested and safeguarded in advance.<\/p>\n There is solid primary-source data for CVE-2026-21509<\/a> available from the NVD. The record was published in the NVD on January 26, 2026, lists a CVSS v3.1 base score of 7.8 (\u201cHigh\u201d) reported by Microsoft as the CNA, and is flagged in the NVD as being included in CISA\u2019s Known Exploited Vulnerabilities (KEV) catalog, including a due date of February 16, 2026.<\/p>\n The NVD describes CVE-2026-21509 as a \u201cSecurity Feature Bypass\u201d in Microsoft Office, caused by a security-relevant decision that relies on untrusted inputs. The CVSS vector shown in the NVD (CVSS:3.1\/AV:L\/AC:L\/PR:N\/UI:R\/S:U\/C:H\/I:H\/A:H) means in practice that exploitation requires user interaction (UI:R), does not require privileges (PR:N), and can have severe impact if successful (C\/I\/A are each \u201cHigh\u201d).<\/p>\n For accurate secondary reporting, it is important to note that the publicly visible primary texts in the NVD and in Microsoft\u2019s KB article for KB5002713 do not explicitly detail which specific Office protection mechanism is being bypassed. Anyone asserting technical details about the underlying mechanism should verify them directly against the vendor channel in the MSRC Update Guide<\/a>. (The MSRC entry is web-based and requires JavaScript.)<\/p>\n CVSS (Common Vulnerability Scoring System) is a standard used to rate vulnerabilities based on technical exploitability and potential impact. The base score combines metrics such as attack vector (for example, local vs. network), required complexity, required privileges and user interaction, and the impact on confidentiality, integrity, and availability. The key point is that CVSS primarily represents a technical snapshot, not automatically the real-world risk in your environment. Exploit availability, active exploitation (\u201cin the wild\u201d), existing mitigations, exposure (for example, email gateways and macro policies), and business criticality can significantly increase or decrease the practical urgency \u2014 even when the CVSS score is identical.<\/span><\/p>\n The NVD lists CVE-2026-21509 as included in CISA\u2019s KEV catalog and states as the \u201cRequired Action\u201d that mitigations should be applied according to the vendor\u2019s guidance or that use should be discontinued if no mitigations are available. The \u201cDue Date\u201d referenced there is binding under CISA BOD 22-01 particularly for U.S. FCEB agencies; for other organizations, it is a strong prioritization signal but not automatically a legal deadline.<\/p>\n Product-specific affected status should be verified in the MSRC Update Guide<\/a>, because the NVD points there. However, the following remediation information is already cleanly supported by Microsoft primary sources.<\/p>\n For MSI-based installations of Office 2016, a security update exists. Microsoft states in KB5002713<\/a> that this update resolves a \u201cMicrosoft Word security feature bypass vulnerability\u201d and explicitly references CVE-2026-21509. Microsoft also clarifies that the Download Center fix applies to the Microsoft Installer (MSI) edition and not to Office Click-to-Run editions.<\/p>\n For volume-licensed Office 2019 installations, Microsoft documents a new release in the official update history on January 26, 2026: \u201cVersion 1808 (Build 10417.20095)\u201d in the article \u201cUpdate history for Office 2016 C2R and Office 2019\u201d<\/a>. This update history does not include CVE mapping; therefore, whether and how this build addresses CVE-2026-21509 must be verified via MSRC and\/or the vendor\u2019s security release notes.<\/p>\n This context is not optional; it is decision-relevant. Microsoft explicitly notes in the same update history that support for Office 2019 ended on October 14, 2025 and that updates after that date are provided only at Microsoft\u2019s discretion. In environments still running Office 2019, this is a lifecycle and risk issue that should be reflected in remediation planning.<\/p>\nUpdate of February 2, 2026<\/pre>\n
Zero-Day Vulnerability \u2013 CVE-2026-21509 in Microsoft Office: Actively Exploited Security Feature Bypass \u2013 Facts, Updates, and Mitigations<\/h2>\n
What is CVE-2026-21509 \u2014 and what is certain about it?<\/h3>\n
\n
Aside: What does CVSS mean \u2014 and why the score alone is not enough?<\/span><\/h2>\n
Why is this urgent?<\/h3>\n<\/blockquote>\n
Updates and affected products: What is proven, and what must be checked in MSRC?<\/h3>\n
Temporary mitigation: Use the Office COM kill bit only in a controlled manner<\/h3>\n