Podcast Episode
To exploit the vulnerability, an attacker must convince a target to open a specially crafted malicious Office file. The preview pane is not an attack vector, providing some limited protection for users who receive suspicious attachments.
Users running Office 2021 or later receive automatic protection through a server-side fix that takes effect after restarting their Office applications. No manual installation is required for these versions.
However, security updates for Office 2016 and 2019 were initially unavailable, leaving millions of users temporarily exposed. Microsoft has since released patches for these older versions, though users must manually apply them or implement registry modifications as a workaround.
Microsoft Rushes Emergency Patch for Office Zero-Day Under Active Attack
January 27, 2026
Audio archived. Episodes older than 60 days are removed to save server storage. Story details remain below.
Microsoft has released an emergency out-of-band security update to fix a high-severity zero-day vulnerability in Microsoft Office that hackers are actively exploiting. The flaw, CVE-2026-21509, allows attackers to bypass OLE security protections, but users of older Office versions remain temporarily vulnerable.
Emergency Response to Active Exploitation
Microsoft issued an emergency out-of-band security update on Sunday, January 26, 2026, to address a critical vulnerability in Microsoft Office that attackers are actively exploiting in real-world attacks. The flaw, tracked as CVE-2026-21509, represents a significant security risk for organisations and individuals using affected Office products.Understanding the Vulnerability
The vulnerability allows attackers to bypass Object Linking and Embedding security protections built into Office applications. OLE is a technology that enables documents to contain embedded objects from other applications. The flaw stems from the software relying on untrusted inputs when making security decisions, allowing malicious actors to circumvent safeguards designed to block potentially dangerous controls.To exploit the vulnerability, an attacker must convince a target to open a specially crafted malicious Office file. The preview pane is not an attack vector, providing some limited protection for users who receive suspicious attachments.
Affected Products and Patch Rollout
The vulnerability affects Microsoft Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Microsoft 365 Apps for Enterprise. However, the patch rollout has created a two-tier protection situation.Users running Office 2021 or later receive automatic protection through a server-side fix that takes effect after restarting their Office applications. No manual installation is required for these versions.
However, security updates for Office 2016 and 2019 were initially unavailable, leaving millions of users temporarily exposed. Microsoft has since released patches for these older versions, though users must manually apply them or implement registry modifications as a workaround.
Part of a Chaotic Month for Microsoft
This emergency patch arrives amid a particularly turbulent period for Microsoft's software quality. The January 2026 Patch Tuesday originally addressed 114 security flaws, including another actively exploited zero-day affecting the Desktop Window Manager. However, subsequent emergency fixes were required to address bugs causing Remote Desktop sign-in failures, PC shutdown issues, and widespread Outlook freezing problems for users with cloud-stored PST files.Published January 27, 2026 at 7:29am
