On January 26 (local time), Microsoft promptly issued an out-of-band security update to tackle a severe zero-day vulnerability (CVE-2026-21509) in Microsoft Office. This flaw, categorized as a security feature bypass, impacts Office 2016, 2019, LTSC 2021, LTSC 2024, as well as Microsoft 365 Business. At present, security updates for Office 2016 and 2019 are still in the pipeline, but Microsoft is committed to rolling them out at the earliest opportunity.

Cyber attackers can take advantage of this vulnerability by dispatching malicious files to lure users into opening them. For those using Office 2021 and later editions, Microsoft has implemented automatic protection via server-side modifications. This protection will kick in once users restart their Office applications. In the meantime, users of Office 2016 and 2019 can safeguard themselves either by installing updates or by applying registry entries.

As of now, Microsoft has kept mum on the identity of the person or group who uncovered the vulnerability, as well as on specific details regarding how the attack is being exploited. Earlier, Microsoft addressed 114 security vulnerabilities in the January 2026 'Patch Tuesday' update. Additionally, it has recently released several out-of-band updates to resolve issues like abnormal system shutdowns.