Microsoft issues emergency patch for Office zero-day CVE-2026-21509

Microsoft has released an emergency patch to fix a zero-day security flaw in Office, CVE-2026-21509, that the company says has already been exploited in the wild and could let attackers bypass Office security to deliver a malicious document. Microsoft described the bug as a Microsoft Office Security Feature Bypass Vulnerability that circumvents OLE (Object Linking and Embedding) mitigations in Microsoft 365 and Microsoft Office.

The mitigations are intended to stop attackers from using embedded or linked content to deliver malicious files. ZDNet lists the affected editions as Microsoft Office 2016 (32-bit); Microsoft Office 2019 (32-bit and 64-bit); Microsoft 365 Apps for Enterprise (32-bit and 64-bit); Microsoft Office LTSC 2021 (32-bit and 64-bit); and Microsoft Office LTSC 2024 (32-bit and 64-bit).

How you get the patch depends on your Office version. Microsoft says editions of Office 2021 or later are protected via a server-side change that requires restarting Office. For Office 2016 and 2019, Microsoft did not explain distribution; ZDNet notes you will likely need to update Office manually (open any Office app, go to File > Account > Update Options > Update Now) and then confirm the Build number reads 16.0.10417.20095 or higher.

The report warns attackers can exploit the flaw to launch phishing campaigns that prompt victims to open malicious file attachments, and that the built-in OLE protections are not working as intended for the affected builds.

cve-2026-21509, microsoft office security bypass, ole mitigations bypass, microsoft emergency patch, microsoft 365 apps for enterprise, office 2016 update, office 2019 update, office ltsc 2021, office ltsc 2024, manual office update, build 16.0.10417.20095, phishing file attachments