On January 26, 2026, Microsoft issued an urgent out-of-band security update to tackle a high-severity zero-day vulnerability, identified as CVE-2026-21509, that hackers are actively exploiting within Office applications. This particular flaw, which has been assigned a CVSS (Common Vulnerability Scoring System) score of 7.8, poses a threat to multiple versions of Office, including 2016, 2019, 2021, and Microsoft 365. The root cause of this vulnerability lies in Office's improper handling and misplaced trust in untrusted user inputs. This enables malicious actors to circumvent the OLE (Object Linking and Embedding) security mechanisms and execute remote code on victims' systems, provided they can coax users into opening malicious documents.

For users of Office 2021 and Microsoft 365, the security patches have been automatically deployed through server-side updates. However, to ensure the patches take effect, users are required to restart their applications. In contrast, Office 2016 and 2019 users need to take a more proactive approach by manually installing the security patches. Alternatively, they can mitigate the risks by modifying the registry to disable specific COM (Component Object Model) objects.

Microsoft strongly urges all users to update their Office applications immediately. Furthermore, it reminds organizations and enterprises to prioritize the patching of this vulnerability, enable automatic updates wherever possible, and maintain a vigilant stance against phishing attacks.