Subject: Microsoft Office Zero-Day (CVE-2026-21509) - Emergency Patch Issued for Active Exploitation

Microsoft Office Zero-Day (CVE-2026-21509) - Emergency Patch Issued for
Active Exploitation <https://thehackernews.com/2026/01/microsoft-issues-emergency-patch-for.html>

Microsoft on Monday issued out-of-band security patches for a
high-severity Microsoft Office zero-day vulnerability exploited in attacks.

The vulnerability, tracked as CVE-2026-21509, carries a CVSS score of
7.8 out of 10.0. It has been described as a security feature bypass in Microsoft Office.

"Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally,"
the tech giant said in an advisory.

"This update addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office, which protect users from vulnerable COM/OLE controls."

Successful exploitation of the flaw relies on an attacker sending a
specially crafted Office file and convincing recipients to open it. It
also noted that the Preview Pane is not an attack vector.

... more ....


Related:

Office ?????????? 2016?2019?2021?365 ??? - ???? HKEPC Hardware
- ?? No.1 PC??
<https://www.hkepc.com/24996/>

--
@~@ Simplicity is Beauty! Remain silent! Drink, Blink, Stretch!
/ v \ May the Force and farces be with you! Live long and prosper!!
/( _ )\ https://sites.google.com/site/changmw/
^ ^ https://github.com/changmw/changmw


--- PyGate Linux v1.5.6
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Subject: Re: Microsoft Office Zero-Day (CVE-2026-21509) - Emergency Patch Issued for Active Exploitation

Mr. Man-wai Chang wrote on 1/27/2026 10:51 PM:

Microsoft Office Zero-Day (CVE-2026-21509) - Emergency Patch Issued for Active Exploitation <https://thehackernews.com/2026/01/microsoft-issues-emergency-patch-for.html>

Microsoft on Monday issued out-of-band security patches for a
high-severity Microsoft Office zero-day vulnerability exploited in attacks.

The vulnerability, tracked as CVE-2026-21509, carries a CVSS score of 7.8 out of 10.0. It has been described as a security feature bypass in
Microsoft Office.

"Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally,"
the tech giant said in an advisory.

"This update addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office, which protect users from vulnerable COM/OLE controls."

Successful exploitation of the flaw relies on an attacker sending a specially crafted Office file and convincing recipients to open it. It
also noted that the Preview Pane is not an attack vector.

MSFT Official Notice Jan 26, 2026 2 PM PST <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509>


The official notice released Jan 26, 2026 2 PM PST

Customers running Office 2021 and later will be automatically protected
via a service-side change, but will be required to restart their Office applications for this to take effect.

Customers running Office 2016 and 2019 are not protected until they
install the security update. Customers on these versions can apply the registry keys described as follows to be immediately protected.
</qp>

As of end-of-business Jan 26, 2026 5 PM
- The Official notice applicability section did not indicate M365, but the
FAQ's section about bypassing OLE security features does have mention
of M365
- Updates released/deployed updated versions for both Office 2016 and
2019. No mention in the article of Office 2021 or M365...but for those
using M365, the latest M365 Current Channel version 2601(19628.20150) was released on Jan 27, 2026.


--
...w­¤?ñ?¤

--- PyGate Linux v1.5.6
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Subject: Re: Microsoft Office Zero-Day (CVE-2026-21509) - Emergency Patch Issued for Active Exploitation

On 2026/1/28 6:42:31, ...w­¤?ñ?¤ wrote:

Mr. Man-wai Chang wrote on 1/27/2026 10:51 PM:

Microsoft Office Zero-Day (CVE-2026-21509) - Emergency Patch Issued for
Active Exploitation
<https://thehackernews.com/2026/01/microsoft-issues-emergency-patch-for.html>


Microsoft on Monday issued out-of-band security patches for a
high-severity Microsoft Office zero-day vulnerability exploited in attacks.

Do we have a KB number (or isn't that a valid question these days)?

The vulnerability, tracked as CVE-2026-21509, carries a CVSS score of 7.8 >> out of 10.0. It has been described as a security feature bypass in
Microsoft Office.

"Reliance on untrusted inputs in a security decision in Microsoft Office
allows an unauthorized attacker to bypass a security feature locally,"
the tech giant said in an advisory.

"This update addresses a vulnerability that bypasses OLE mitigations in
Microsoft 365 and Microsoft Office, which protect users from vulnerable
COM/OLE controls."

Are earlier versions (e. g. 2003, 2007) vulnerable?

Successful exploitation of the flaw relies on an attacker sending a
specially crafted Office file and convincing recipients to open it. It
also noted that the Preview Pane is not an attack vector.

Would that file be .docx (or whatever)?
[]

--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

"Scheisse," said Pooh, trying out his German.

--- PyGate Linux v1.5.6
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Subject: Re: Microsoft Office Zero-Day (CVE-2026-21509) - Emergency Patch Issued for Active Exploitation

J. P. Gilliver wrote on 1/28/2026 6:26 AM:

On 2026/1/28 6:42:31, ...w­¤?ñ?¤ wrote:

Mr. Man-wai Chang wrote on 1/27/2026 10:51 PM:

Microsoft Office Zero-Day (CVE-2026-21509) - Emergency Patch Issued for
Active Exploitation
<https://thehackernews.com/2026/01/microsoft-issues-emergency-patch-for.html>


Microsoft on Monday issued out-of-band security patches for a
high-severity Microsoft Office zero-day vulnerability exploited in attacks.

Do we have a KB number (or isn't that a valid question these days)?

The vulnerability, tracked as CVE-2026-21509, carries a CVSS score of 7.8 >>> out of 10.0. It has been described as a security feature bypass in
Microsoft Office.

"Reliance on untrusted inputs in a security decision in Microsoft Office >>> allows an unauthorized attacker to bypass a security feature locally,"
the tech giant said in an advisory.

"This update addresses a vulnerability that bypasses OLE mitigations in
Microsoft 365 and Microsoft Office, which protect users from vulnerable
COM/OLE controls."

Are earlier versions (e. g. 2003, 2007) vulnerable?

Successful exploitation of the flaw relies on an attacker sending a
specially crafted Office file and convincing recipients to open it. It
also noted that the Preview Pane is not an attack vector.

Would that file be .docx (or whatever)?
[]

You replied to my post, but snipped it's complete content.
Using the link in my post, can provide the information and answers to
what you asked.
- the KB # for 2016, CTR document for 2019 and later
- Versions supported are update-able and fixable, as in the past earlier non-supported versions are not. Likewise, MSFT does not report
vulnerability to versions older than indicated in the CVE.
- applies to any malicious Office file => 'whatever' in your terminology

i.e. if using 2003 or 2007 or 2010 or 2013 you are SOL.
--
...w­¤?ñ?¤

--- PyGate Linux v1.5.6
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Subject: Re: Microsoft Office Zero-Day (CVE-2026-21509) - Emergency Patch Issued for Active Exploitation

On 2026/1/28 16:6:23, ...w­¤?ñ?¤ wrote:
[]

- Versions supported are update-able and fixable, as in the past earlier non-supported versions are not. Likewise, MSFT does not report
vulnerability to versions older than indicated in the CVE.

So earlier versions are not fixable (by this patch, anyway), but may not
be vulnerable in the first place.

- applies to any malicious Office file => 'whatever' in your terminology

When I said does it have to be .docx or whatever, I meant does it have
to be (for example) .docx, .xlsx, or whatever, as opposed to .doc, .xls,
and so on - i. e. the "new" formats.

i.e. if using 2003 or 2007 or 2010 or 2013 you are SOL.

I don't know SOL :-) - OOL I would guess at!

--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

"The problem with socialism is that you eventually run out of other
people's money."

--- PyGate Linux v1.5.6
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Subject: Re: Microsoft Office Zero-Day (CVE-2026-21509) - Emergency Patch Issued for Active Exploitation

winston <winstonmvp@gmail.com> wrote:

J. P. Gilliver wrote:

winston wrote:

Mr. Man-wai Chang wrote:

Microsoft Office Zero-Day (CVE-2026-21509) - Emergency Patch Issued for >>>> Active Exploitation
<https://thehackernews.com/2026/01/microsoft-issues-emergency-patch-for.html>


Microsoft on Monday issued out-of-band security patches for a
high-severity Microsoft Office zero-day vulnerability exploited in attacks.

Do we have a KB number (or isn't that a valid question these days)?

The vulnerability, tracked as CVE-2026-21509, carries a CVSS score of 7.8 >>>> out of 10.0. It has been described as a security feature bypass in
Microsoft Office.

"Reliance on untrusted inputs in a security decision in Microsoft Office >>>> allows an unauthorized attacker to bypass a security feature locally," >>>> the tech giant said in an advisory.

"This update addresses a vulnerability that bypasses OLE mitigations in >>>> Microsoft 365 and Microsoft Office, which protect users from vulnerable >>>> COM/OLE controls."

Are earlier versions (e. g. 2003, 2007) vulnerable?

Successful exploitation of the flaw relies on an attacker sending a
specially crafted Office file and convincing recipients to open it. It >>>> also noted that the Preview Pane is not an attack vector.

Would that file be .docx (or whatever)?

You replied to my post, but snipped it's complete content.
Using the link in my post, can provide the information and answers to
what you asked.
- the KB # for 2016, CTR document for 2019 and later
- Versions supported are update-able and fixable, as in the past earlier non-supported versions are not. Likewise, MSFT does not report
vulnerability to versions older than indicated in the CVE.
- applies to any malicious Office file => 'whatever' in your terminology

i.e. if using 2003 or 2007 or 2010 or 2013 you are SOL.

Not clear if updating Office 2021, what I have, got the necessary fixes,
or if users are still expected to do the registry edits. After
updating, my Office 2021 reports it is at 2601 (build 19628.20150 Click-to-Run). It was at 2512 released on Jan 13 which is before the
Jan 26 date cited for the CVE-2026-21509 patch. Now I'm at 2601, but
haven't found anything in that build description about CVE-2026-21509.

"automatically protected via a service-side change"

Hmm, wonder how users know when that happens, and what to check to
verify if they got the patch, or not. Besides the Jan 26 update, are we
still waiting for an additional patch rollout?

When I click on Update Options -> View updates, I'm taken to:

https://learn.microsoft.com/en-us/officeupdates/current-channel

instead of an actual update history. Nothing mentioned there about CVE
or OLE fixes. There were some OLE fixes mentioned, but way back to
March.

https://learn.microsoft.com/en-us/officeupdates/microsoft365-apps-security-updates

CVE-2026-21509 isn't listed. The MS article you cited mentions the CVE,
but not in which build number the user will see after the patch.

The only add-ins installed into Word are those that came bundled with
the product during installation; i.e., all are Microsoft supplied. I
had an add-in in Outlook (Message Header Analyzer), but it didn't give
me any more info that I could see when viewing all the headers, so I uninstalled it. That was from MS, too. In Word, I have "Disable all
macros without notification". I don't add scripts into docs, and don't
want to open docs from others that have scripts inside. Same for
Outlook. In Excel, I chose "Disable VBA macros with notification". I
don't use macros in my spreadsheets, but possibly someone else might,
but I will get notified, and very likely deny. I don't see how a
crafted doc could utilize scripts via OLE with macros disabled in all
the MS Office components, and with no non-MS add-ins.

--- PyGate Linux v1.5.6
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Subject: Re: Microsoft Office Zero-Day (CVE-2026-21509) - Emergency Patch Issued for Active Exploitation

J. P. Gilliver wrote on 1/28/2026 2:11 PM:

On 2026/1/28 16:6:23, ...w­¤?ñ?¤ wrote:
[]

- Versions supported are update-able and fixable, as in the past earlier
non-supported versions are not. Likewise, MSFT does not report
vulnerability to versions older than indicated in the CVE.

So earlier versions are not fixable (by this patch, anyway), but may not
be vulnerable in the first place.

It would be wise to assume the opposite => vulnerable

- applies to any malicious Office file => 'whatever' in your terminology

When I said does it have to be .docx or whatever, I meant does it have
to be (for example) .docx, .xlsx, or whatever, as opposed to .doc, .xls,
and so on - i. e. the "new" formats.

All those file types can include links or phishing content - not sure
why you wouldn't know that.

i.e. if using 2003 or 2007 or 2010 or 2013 you are SOL.

I don't know SOL :-) - OOL I would guess at!

$hi+ Outta Luck


--
...w­¤?ñ?¤

--- PyGate Linux v1.5.6
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Subject: Re: Microsoft Office Zero-Day (CVE-2026-21509) - Emergency Patch Issued for Active Exploitation

VanguardLH wrote on 1/28/2026 2:23 PM:

You replied to my post, but snipped it's complete content.
Using the link in my post, can provide the information and answers to
what you asked.
- the KB # for 2016, CTR document for 2019 and later
- Versions supported are update-able and fixable, as in the past earlier
non-supported versions are not. Likewise, MSFT does not report
vulnerability to versions older than indicated in the CVE.
- applies to any malicious Office file => 'whatever' in your terminology

i.e. if using 2003 or 2007 or 2010 or 2013 you are SOL.

Not clear if updating Office 2021, what I have, got the necessary fixes,
or if users are still expected to do the registry edits. After
updating, my Office 2021 reports it is at 2601 (build 19628.20150 Click-to-Run). It was at 2512 released on Jan 13 which is before the
Jan 26 date cited for the CVE-2026-21509 patch. Now I'm at 2601, but
haven't found anything in that build description about CVE-2026-21509.

Afiak, 2021(perpetual Home, Home&Business all CTR), 2021 ProPlus(MSI or
CTR) and later including M365 editions(Personal, Family, Enterprise, Edu) after updating to the the Jan 27 2026 version/build(2601, x.20150 or applicable version/build when installed/available...at this time **Do not have** the necessary registry keys noted in the CVE article manual workaround(editing, adding keys in the registry).
-i.e. assume it has not been updated and still vulnerable is the safest position until known otherwise....though it is possible, and the not the
first occurence that a vulnerability is/was removed with other underlying
code exclusive of the a need to change the registry.


--
...w­¤?ñ?¤

--- PyGate Linux v1.5.6
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Subject: Re: Microsoft Office Zero-Day (CVE-2026-21509) - Emergency Patch Issued for Active Exploitation

On 2026/1/28 22:43:36, ...w­¤?ñ?¤ wrote:

J. P. Gilliver wrote on 1/28/2026 2:11 PM:

On 2026/1/28 16:6:23, ...w­¤?ñ?¤ wrote:
[]

- Versions supported are update-able and fixable, as in the past earlier >>> non-supported versions are not. Likewise, MSFT does not report
vulnerability to versions older than indicated in the CVE.

So earlier versions are not fixable (by this patch, anyway), but may not
be vulnerable in the first place.

It would be wise to assume the opposite => vulnerable

- applies to any malicious Office file => 'whatever' in your terminology

When I said does it have to be .docx or whatever, I meant does it have
to be (for example) .docx, .xlsx, or whatever, as opposed to .doc, .xls,
and so on - i. e. the "new" formats.

All those file types can include links or phishing content - not sure
why you wouldn't know that.

This thread started about a _specific_ exploit, that MS had released a
patch to protect against.

i.e. if using 2003 or 2007 or 2010 or 2013 you are SOL.

I don't know SOL :-) - OOL I would guess at!

$hi+ Outta Luck

Ah :-)

--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

Practicall every British actor with a bus pass is in there ...
Barry Norman (on "The Best Exotic Marigold Hotel" [2011]), RT 2015/12/12-18

--- PyGate Linux v1.5.6
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Subject: Re: Microsoft Office Zero-Day (CVE-2026-21509) - Emergency Patch Issued for Active Exploitation

On 1/28/2026 5:45 PM, J. P. Gilliver wrote:

On 2026/1/28 22:43:36, ...w­¤?ñ?¤ wrote:

J. P. Gilliver wrote on 1/28/2026 2:11 PM:

On 2026/1/28 16:6:23, ...w­¤?ñ?¤ wrote:
[]

- Versions supported are update-able and fixable, as in the past earlier >>>> non-supported versions are not. Likewise, MSFT does not report
vulnerability to versions older than indicated in the CVE.

So earlier versions are not fixable (by this patch, anyway), but may not >>> be vulnerable in the first place.

It would be wise to assume the opposite => vulnerable

- applies to any malicious Office file => 'whatever' in your terminology >>>

When I said does it have to be .docx or whatever, I meant does it have
to be (for example) .docx, .xlsx, or whatever, as opposed to .doc, .xls, >>> and so on - i. e. the "new" formats.

All those file types can include links or phishing content - not sure
why you wouldn't know that.

This thread started about a _specific_ exploit, that MS had released a
patch to protect against.

The link provided to the CVE specified the exploit parameter as:
"An attacker must send a user a malicious Office file and convince them
to open it."
=> should be interpreted as any possible 'Office' file, i.e. no
delineation for prior version file extensions.

--
...w­¤?ñ?¤

--- PyGate Linux v1.5.6
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Subject: Re: Microsoft Office Zero-Day (CVE-2026-21509) - Emergency Patch Issued for Active Exploitation

=?UTF-8?B?Li4ud8Khw7HCp8KxwqTDsQ==?= <winstonmvp@gmail.com> wrote in news:10lefpf$vf8m$1@dont-email.me:

On 1/28/2026 5:45 PM, J. P. Gilliver wrote:

On 2026/1/28 22:43:36, ...w­¤?ñ?¤ wrote:

J. P. Gilliver wrote on 1/28/2026 2:11 PM:

On 2026/1/28 16:6:23, ...w­¤?ñ?¤ wrote:
[]

- Versions supported are update-able and fixable, as in the past
earlier non-supported versions are not. Likewise, MSFT does not
report vulnerability to versions older than indicated in the CVE.

So earlier versions are not fixable (by this patch, anyway), but may
not be vulnerable in the first place.

It would be wise to assume the opposite => vulnerable

- applies to any malicious Office file => 'whatever' in your
terminology

When I said does it have to be .docx or whatever, I meant does it
have to be (for example) .docx, .xlsx, or whatever, as opposed to
.doc, .xls, and so on - i. e. the "new" formats.

All those file types can include links or phishing content - not
sure
why you wouldn't know that.

This thread started about a _specific_ exploit, that MS had released a
patch to protect against.

The link provided to the CVE specified the exploit parameter as:
"An attacker must send a user a malicious Office file and convince them
to open it."

should be interpreted as any possible 'Office' file, i.e. no

delineation for prior version file extensions.

I read the article:

<https://thehackernews.com/2026/01/microsoft-issues-emergency-patch-for.htm


I have some questions.

My understanding is that any of the Office programs in versions 2021 and
later, will be protected with a 'service-side change'. What is a
service-side change?

My understanding is also that if one doesn't open (preview is ok, but why
would one bother?) the attached Office document, in any version, there's
no harm.

Additionally, the article gives the updates that should be applied to
Office versions 2016 and 2019. Then, the article gives a registry edit to 'mitigate' the issue, I assume for the same Office versions, 2016 and
2019. Why the registry edit if the updates are applied?

--- PyGate Linux v1.5.6
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Subject: Re: Microsoft Office Zero-Day (CVE-2026-21509) - Emergency Patch Issued for Active Exploitation

On 1/28/2026 9:38 PM, Boris wrote:

=?UTF-8?B?Li4ud8Khw7HCp8KxwqTDsQ==?= <winstonmvp@gmail.com> wrote in news:10lefpf$vf8m$1@dont-email.me:

On 1/28/2026 5:45 PM, J. P. Gilliver wrote:

On 2026/1/28 22:43:36, ...w­¤?ñ?¤ wrote:

J. P. Gilliver wrote on 1/28/2026 2:11 PM:

On 2026/1/28 16:6:23, ...w­¤?ñ?¤ wrote:
[]

- Versions supported are update-able and fixable, as in the past
earlier non-supported versions are not. Likewise, MSFT does not
report vulnerability to versions older than indicated in the CVE.

So earlier versions are not fixable (by this patch, anyway), but may >>>>> not be vulnerable in the first place.

It would be wise to assume the opposite => vulnerable

- applies to any malicious Office file => 'whatever' in your
terminology

When I said does it have to be .docx or whatever, I meant does it
have to be (for example) .docx, .xlsx, or whatever, as opposed to
.doc, .xls, and so on - i. e. the "new" formats.

All those file types can include links or phishing content - not
sure
why you wouldn't know that.

This thread started about a _specific_ exploit, that MS had released a
patch to protect against.

The link provided to the CVE specified the exploit parameter as:
"An attacker must send a user a malicious Office file and convince them
to open it."
=> should be interpreted as any possible 'Office' file, i.e. no
delineation for prior version file extensions.

I read the article:

<https://thehackernews.com/2026/01/microsoft-issues-emergency-patch-for.htm

I have some questions.

My understanding is that any of the Office programs in versions 2021 and later, will be protected with a 'service-side change'. What is a service-side change?

Afaik...a service side change indicates a future update deployed
automatically by Office or manually attempted by user(within Office
program - check for updates.
- Note: Office 2019/2021/M365 is updated within the program, not
Windows Update.

My understanding is also that if one doesn't open (preview is ok, but why would one bother?) the attached Office document, in any version, there's
no harm.

That is the current understanding. The malicious Office file would
need to be opened. Have yet to see an example of how that Office file
is named.

Additionally, the article gives the updates that should be applied to
Office versions 2016 and 2019. Then, the article gives a registry edit to 'mitigate' the issue, I assume for the same Office versions, 2016 and
2019. Why the registry edit if the updates are applied?

The 2016/2019 info may be for a pro-active approach(and the only
approach) for 2016/2019 end-users - which may be necessary since both
2016 and 2019 have reached end-of-support, whereas, 2021 and later have
not reached that milestone.



--
...w­¤?ñ?¤

--- PyGate Linux v1.5.6
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)