Microsoft Office Zero-Day CVE-2026-21509, Emergency Patch, Mitigation Steps

What happened

Microsoft released an out-of-band (emergency) security update for an actively exploited Microsoft Office zero-day tracked as CVE-2026-21509 (CVSS 7.8 / High). The issue is classified as a security feature bypass: Office can be tricked into making a security decision using untrusted inputs, allowing an attacker to bypass protections meant to block risky COM/OLE behavior.

Why this zero-day matters

This is the pattern defenders keep losing to: email-delivered document + user interaction + protection bypass. Exploitation requires an attacker to deliver a specially crafted Office file and convince a user to open it (not just preview it). Once those guardrails are bypassed, attackers can pivot to payload delivery, credential theft, and follow-on actions that look like “normal” user activity until it’s too late.

Who is affected

The guidance in the reporting calls out multiple Office lines and version behaviors:

Office 2021 and later / Microsoft 365 Apps: protected via a service-side change, but users must restart Office apps for it to take effect.

Office 2016 and Office 2019: require installing specific security updates (see next section).

The vulnerability is listed in government tracking as a known exploited issue, with a remediation due date shown as February 16, 2026.

Patch details (what “patched” means here)

Reporting indicates the following update versions for MSI-based Office 2016/2019 environments:

Office 2019 (32/64-bit): 16.0.10417.20095

Office 2016 (32/64-bit): 16.0.5539.1001

What to do now (practical response checklist)

Inventory and scope

Enumerate Office versions across endpoints, VDI, jump boxes, and any kiosk/shared systems.

Flag Office 2016/2019 specifically; those often sit outside modern autopatching patterns.

Patch or restart

For Office 2021+/M365 Apps: force an Office app restart across user populations (managed restart windows if needed).

For Office 2016/2019: deploy the required updates and validate the target build numbers.

Temporary mitigation for delayed systems

Apply the registry-based COM compatibility mitigation (kill bit) where patching can’t be completed immediately.

Reduce document-based initial access

Tighten email and endpoint controls around inbound Office files from the internet, especially for high-risk roles (finance, HR, exec admins).

How InfoSight helps (mapped to this incident)

InfoSight’s operating model focuses on shrinking the “unknown exploited → verified fixed” window:

Exposure discovery: identify where vulnerable Office builds exist (including legacy pockets).

Prioritized remediation: route fixes by exploit status and business criticality, not generic severity.

Verification and reporting: prove patch state and produce leadership-ready remediation evidence tied to timelines (MTTR for vulnerabilities).

This is the difference between “we pushed the patch” and “we can prove risk dropped.”