Microsoft Office zero-day (CVE-2026-21509): Emergency patch issued for active exploitation

Microsoft Office zero-day (CVE-2026-21509): Emergency patch issued for active exploitation Source: The Hacker News thehackernews.com/2026/01/m… Microsoft on Monday issued out-of-band security updates to address a high-severity Microsoft Office zero-day vulnerability that is being actively exploited. The vulnerability, tracked as CVE-2026-21509, has a CVSS score of 7.8 and is classified as a security feature bypass affecting Microsoft Office. In an advisory, Microsoft stated: “Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally. This update addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office, which protect users from vulnerable COM/OLE controls.” Successful exploitation requires an attacker to deliver a specially crafted Office document and persuade a target to open it. Microsoft noted that the Preview Pane is not an attack vector for this vulnerability.