CVE-2026-21509: Microsoft Office Security Feature Bypass Vulnerability

Overview

Severity
High (CVSS 7.8)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Category
Security Feature Bypass
Exploit Status
Actively Exploited
Exploitation Likelihood
Detected
Patch Tuesday
2026-Jan
Released
2026-01-26
Last Updated
2026-01-29
EPSS Score
7.50% (percentile: 91.8%)
CISA KEV
Listed — due 2026-02-16

Description

Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.

FAQ

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Are the updates for Microsoft Office 2016 and 2019 currently available? Yes. As of January 26, 2026, the security update for Microsoft Office 2016 and 2019 is available. Customers running Microsoft Office 2016 and 2019 should ensure the update is installed to be protected from this vulnerability. How do I know what version of Office 2016 and 2019 I am running? On January 26 2026, Microsoft released build numbers for Office 2016 16.0.5539.1001 and Office 2019 16.0.10417.20095 to address this vulnerability. To see what version you have installed: In a document click the File tab. Click Account in the left hand pane. Click About . The top line of the About dialog box will display the Build number. What kind of security feature could be bypassed by successfully exploiting this vulnerability? This update addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector.

Known Exploits (1)

  • Microsoft Office Security Feature Bypass Vulnerability — added 2026-01-27T09:26:41Z

Detection & Weaponization (1 sources)

Maturity: Exploit

  • GitHub PoC: 11 repositories

Affected Products (10)

Microsoft Office

  • Microsoft Office 2019 for 32-bit editions
  • Microsoft Office 2019 for 64-bit editions
  • Microsoft 365 Apps for Enterprise for 32-bit Systems
  • Microsoft 365 Apps for Enterprise for 64-bit Systems
  • Microsoft Office LTSC 2021 for 64-bit editions
  • Microsoft Office LTSC 2021 for 32-bit editions
  • Microsoft Office LTSC 2024 for 32-bit editions
  • Microsoft Office LTSC 2024 for 64-bit editions
  • Microsoft Office 2016 (32-bit edition)
  • Microsoft Office 2016 (64-bit edition)

Security Updates (1)

Acknowledgments

Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), and Office Product Group Security Team, Google Threat Intelligence Group

Revision History

  • 2026-01-26: Information published.
  • 2026-01-26: Corrected CVSS score. This is an informational change only.
  • 2026-01-26: The following revisions have been made: 1) Microsoft is announcing the availability of the security updates for Microsoft Office 2016 and 2019. Customers running these versions of Office should install the update for their product to be protected from this vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action. 2) Updated FAQ and Mitigations.
  • 2026-01-26: The following revisions have been made: 1) Added the build numbers for Office 2019. 2) Added an FAQ describing how to view Office 2019 build numbers. 3) Updated Publicly Disclosed to No. 4) Added acknowledgement. These are informational changes only.
  • 2026-01-27: Updated FAQ information. This is an informational change only.
  • 2026-01-28: Acknowledgement added. This is an informational change only.
  • 2026-01-29: Updated mitigation. This is an informational change only.