Microsoft has issued an emergency patch to address a critical security feature bypass vulnerability in Microsoft Office, identified as CVE-2026-21509. This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 7.8 out of 10.0, already categorizing it as critical. The United States Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-21509 to its Known Exploited Vulnerabilities (KEV) catalog. This implementation specifically highlights how quickly users need to act.
This vulnerability allows unprivileged attackers to bypass important security features in Microsoft Office applications. Consequently, it might make exploitation more likely. Related news story Microsoft celebrates final passage of major MS infrastructure update They went on to explain that it’s the vulnerability that defeats the protections against Object Linking and Embedding (OLE) controls.
Affected Versions and Required Updates
The patch is applicable to various versions of Microsoft Office. For users on Microsoft Office 2019, the 32- and 64-bit editions need update version 16.0.10417.20095. Equally, Microsoft Office 2016 users, on the Semi-Annual Channel (as that edition was called then), needed to install update version 16.0.5539.1001.
Furthermore, users of Microsoft Office 2021 and up will automatically be protected through the application of a service-side change executed by Microsoft. A restart of Office applications is required before this change can take effect.
Actions for Federal Agencies and Users
The deadline for all Federal Civilian Executive Branch (FCEB) agencies to implement the required patches is February 16, 2026. This required action highlights the serious need to fix this vulnerability quickly in order to keep federal IT systems secure.
In order to apply the patch properly, users are advised to close all Microsoft Office programs and create a backup of their system’s registry. The registry subkey locations depend on the system configuration. For instance, here is where you would find the subkey for 64-bit MSI Office or for 32-bit MSI Office on 32-bit Windows. Specifically here HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility. To take advantage of these changes, users should manually add a new subkey under {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} (COM Compatibility node).
Importance of Timely Updates
Microsoft has been outspoken about the dangers of failing to patch these updates quickly. The company stated, “Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.” This highlights the importance for all users to proactively keep their software current.
Furthermore, Microsoft noted the importance of the patch, stating, “This update addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office, which protect users from vulnerable COM/OLE controls.” These statements underscore the need for users to respond appropriately given the potentially hazardous conditions described therein.