Microsoft just released an important security fix for a serious vulnerability in many versions of Office. Hackers are already using this bug in real attacks, so if you use Office on your computer, protect yourself right now.
The bug is labelled CVE-2026-21509, and it"s a security feature bypass in Office. Microsoft rates it "Important" with a CVSS score of 7.8 out of 10.
Normally, Office blocks dangerous or old code hidden inside documents to stop malware, but this flaw lets attackers trick Office into ignoring its own rules. An attacker could create a Word file, Excel spreadsheet or other Office document. If you open it, the malicious code gets through, and the attacker could gain access to your computer, steal files or install malware.
The vulnerability affects a lot of common Office versions, including:
- Microsoft Office 2016 (any edition)
- Microsoft Office 2019
- Microsoft Office LTSC 2021 and 2024 (common in businesses)
- Microsoft 365 Apps (the subscription version, both 32-bit and 64-bit)
Microsoft has addressed the issue for newer versions like Microsoft 365 Apps, Office LTSC 2021 and LTSC 2024. This is a server-side change that provides protection automatically, so there"s no need for any big downloads. If you"re on one of those, a simple restart of your Office apps should do the trick and activate the fix.
However, Office 2016 and 2019 are still vulnerable for now. The company promises updates for these two versions are coming soon, and they"ll notify everyone when the patches are ready via the CVE page.
For Office 2016 and 2019 users, Microsoft provided a quick registry tweak to block the attack until the proper update arrives.
Here’s what you can do:
To start blocking add the following registry keys:
Caution: Follow these steps carefully. Serious problems may occur if you modify the registry incorrectly. Before you start we recommend that you have a known good backup of your registry. See this article for more information: https://support.microsoft.com/en-us/help/322756/how-to-back-up-and-restore-the-registry-in-windows
- Exit all Microsoft Office applications. Start the Registry Editor by tapping Start (or pressing the Windows key on your keyboard) then typing regedit and pressing enter.
- Locate the proper registry subkey. It will be one of the following:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\ (for 64-bit MSI Office, or 32-bit MSI Office on 32-bit Windows)
or
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\ (for 32-bit MSI Office on 64-bit Windows)
or
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\16.0\Common\COM Compatibility\ (for 64-bit Click2Run Office, or 32-bit Click2Run Office on 32-bit Windows)
or
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\ (for 32-bit Click2Run Office on 64-bit Windows)
Note: The COM Compatibility node may not be present by default. If you don"t see it, add it by right-clicking the Common node and choosing Add Key. - Add a new subkey named {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} by right-clicking the COM Compatibility node and choosing Add Key.
- Within that new subkey we"re going to add one new value by right-clicking the new subkey and choosing New > DWORD (32-bit) Value.
- A REG_DWORD hexadecimal value called Compatibility Flags with a value of 400.
- Exit Registry Editor and start your Office application.
You can find more details about the CVE-2026-21509 vulnerability patch on Microsoft"s official CVE page.
Update: On January 27, Microsoft released the security update for Office 2016 and 2019.