Update on CVE-2026-21509: The vulnerability is being actively exploited, affects multiple Office product lines, and there is now clearer information on patch status and the registry mitigation recommended by Microsoft.
Update of February 2, 2026
The scope for CVE-2026-21509 is now consistent: Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Microsoft 365 Apps for Enterprise are affected. Details and the CISA KEV due date can be verified via the NVD.
For patch status, distinguishing by product line is crucial. For Office 2016, there is a security update KB5002713, which explicitly applies only to MSI-based installations. For volume-licensed Office 2019 installations, a new build 10417.20095 with release date January 26, 2026 is documented in the Office update history. According to the guidance, Office 2021 and later are protected via a service-side change that becomes effective after restarting the Office apps.
If patching is not possible in the short term, a mitigation described by Microsoft can reduce exploitability. In the Office COM Compatibility context, it blocks the CLSID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} with the value Compatibility Flags = 0x400 (hex). A clear walkthrough of the relevant paths and steps can be found in the analysis by BleepingComputer. Registry changes should be tested and safeguarded in advance.
Update of February 2, 2026
Zero-Day Vulnerability – CVE-2026-21509 in Microsoft Office: Actively Exploited Security Feature Bypass – Facts, Updates, and Mitigations
There is solid primary-source data for CVE-2026-21509 available from the NVD. The record was published in the NVD on January 26, 2026, lists a CVSS v3.1 base score of 7.8 (“High”) reported by Microsoft as the CNA, and is flagged in the NVD as being included in CISA’s Known Exploited Vulnerabilities (KEV) catalog, including a due date of February 16, 2026.
What is CVE-2026-21509 — and what is certain about it?
The NVD describes CVE-2026-21509 as a “Security Feature Bypass” in Microsoft Office, caused by a security-relevant decision that relies on untrusted inputs. The CVSS vector shown in the NVD (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) means in practice that exploitation requires user interaction (UI:R), does not require privileges (PR:N), and can have severe impact if successful (C/I/A are each “High”).
For accurate secondary reporting, it is important to note that the publicly visible primary texts in the NVD and in Microsoft’s KB article for KB5002713 do not explicitly detail which specific Office protection mechanism is being bypassed. Anyone asserting technical details about the underlying mechanism should verify them directly against the vendor channel in the MSRC Update Guide. (The MSRC entry is web-based and requires JavaScript.)
Aside: What does CVSS mean — and why the score alone is not enough?
CVSS (Common Vulnerability Scoring System) is a standard used to rate vulnerabilities based on technical exploitability and potential impact. The base score combines metrics such as attack vector (for example, local vs. network), required complexity, required privileges and user interaction, and the impact on confidentiality, integrity, and availability. The key point is that CVSS primarily represents a technical snapshot, not automatically the real-world risk in your environment. Exploit availability, active exploitation (“in the wild”), existing mitigations, exposure (for example, email gateways and macro policies), and business criticality can significantly increase or decrease the practical urgency — even when the CVSS score is identical.
Why is this urgent?
The NVD lists CVE-2026-21509 as included in CISA’s KEV catalog and states as the “Required Action” that mitigations should be applied according to the vendor’s guidance or that use should be discontinued if no mitigations are available. The “Due Date” referenced there is binding under CISA BOD 22-01 particularly for U.S. FCEB agencies; for other organizations, it is a strong prioritization signal but not automatically a legal deadline.
Updates and affected products: What is proven, and what must be checked in MSRC?
Product-specific affected status should be verified in the MSRC Update Guide, because the NVD points there. However, the following remediation information is already cleanly supported by Microsoft primary sources.
For MSI-based installations of Office 2016, a security update exists. Microsoft states in KB5002713 that this update resolves a “Microsoft Word security feature bypass vulnerability” and explicitly references CVE-2026-21509. Microsoft also clarifies that the Download Center fix applies to the Microsoft Installer (MSI) edition and not to Office Click-to-Run editions.
For volume-licensed Office 2019 installations, Microsoft documents a new release in the official update history on January 26, 2026: “Version 1808 (Build 10417.20095)” in the article “Update history for Office 2016 C2R and Office 2019”. This update history does not include CVE mapping; therefore, whether and how this build addresses CVE-2026-21509 must be verified via MSRC and/or the vendor’s security release notes.
This context is not optional; it is decision-relevant. Microsoft explicitly notes in the same update history that support for Office 2019 ended on October 14, 2025 and that updates after that date are provided only at Microsoft’s discretion. In environments still running Office 2019, this is a lifecycle and risk issue that should be reflected in remediation planning.
Temporary mitigation: Use the Office COM kill bit only in a controlled manner
If a patch rollout is not immediately possible, blocking specific COM objects via the Office COM kill bit can be considered as an emergency measure. Microsoft describes the mechanism, registry paths, and the relevant value (“Compatibility Flags” = 0x00000400) in “Security settings for COM objects in Office”. The kill bit should not be set “speculatively”; it should only be applied when the vendor or a reliable internal analysis identifies a specific CLSID as the relevant attack surface.
Conclusion
CVE-2026-21509 is a Microsoft-CNA-rated security feature bypass in Office with CVSS 7.8 (High) and a clear “Known Exploited” signal in the NVD. For Office 2016 (MSI), KB5002713 is clearly documented as a CVE-related security update. For Office 2019, a new build is documented, but CVE mapping is not included in the update history itself; therefore, reliable product and fix mapping must be verified against the MSRC entry.
