Microsoft Office vulnerability (CVE-2026-21509) in active exploitation

AndyC 28 January 2026

On January 26, 2026, Microsoft released an out-of-band update to address a high-severity (CVSS score of 7.8) vulnerability affecting multiple Microsoft Office products.

On January 26, 2026, Microsoft released an out-of-band update to address a high-severity (CVSS score of 7.8) vulnerability affecting multiple Microsoft Office products. This vulnerability, tracked as CVE-2026-21509, is being actively exploited in the wild and has been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog.

The issue stems from the application’s “reliance on untrusted inputs when making security decisions”, which allows attackers to bypass Object Linking and Embedding (OLE) security mitigations built into Microsoft Office and Microsoft 365. Exploitation requires an attacker to convince a user to open a specially crafted malicious Office file.

Affected software includes Microsoft Office 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, and Microsoft 365 Apps for Enterprise.

Recommended actions

Organizations should identify vulnerable Microsoft Office instances in their environments and apply updates or mitigations as appropriate. Microsoft recommends implementing protections as soon as possible given the active exploitation.

Sophos actions

SophosLabs is investigating the feasibility of detections for this threat.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

Embracing Choice in Cybersecurity: TrendAI Vision One™ and SentinelOne Integration

Embracing Choice in Cybersecurity: TrendAI Vision One™ and SentinelOne Integration

AndyC 28 January 2026
Pwn2Own: Researchers Earn Million for 76 Zero-Days

Pwn2Own: Researchers Earn $1 Million for 76 Zero-Days

AndyC 28 January 2026
Android Adds ‘Accountability Layer’ to Third-Party Apps

Android Adds ‘Accountability Layer’ to Third-Party Apps

AndyC 28 January 2026
Microsoft’s Patch Fixes Are Breaking Windows, Forcing a Second Emergency Update

Microsoft’s Patch Fixes Are Breaking Windows, Forcing a Second Emergency Update

AndyC 28 January 2026
Upgrade to Microsoft Windows 11 Home for Just

Upgrade to Microsoft Windows 11 Home for Just $10

AndyC 28 January 2026
New Android Theft Protection Feature Updates: Smarter, Stronger

New Android Theft Protection Feature Updates: Smarter, Stronger

AndyC 28 January 2026

You may have missed

When Hospitals Go Dark and Browsers Turn Rogue

When Hospitals Go Dark and Browsers Turn Rogue

AndyC 28 January 2026
Fixes released for a serious Microsoft Office zero-day flaw

NDSS 2025 – On the Robustness Of LDP Protocols For Numerical Attributes Under Data Poisoning Attacks

AndyC 28 January 2026
French authorities to ban Teams, Zoom, other video apps for gov’t use

Power shortages, carbon capture, and AI automation: What’s ahead for data centers in 2026

AndyC 28 January 2026
Celebrating Data Privacy Week with NIST’s Privacy Engineering Program

Celebrating Data Privacy Week with NIST’s Privacy Engineering Program

AndyC 28 January 2026
Shadowserver finds 6,000+ likely vulnerable SmarterMail servers exposed online

Shadowserver finds 6,000+ likely vulnerable SmarterMail servers exposed online

AndyC 28 January 2026

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.