Microsoft has released an out-of-band emergency security update to address a zero-day vulnerability in Microsoft Office that is being actively exploited, extending support for affected versions through 2026.

The vulnerability, tracked as CVE-2026-21509, carries a high severity score of 7.8 out of 10. It is classified as a security feature bypass flaw that allows attackers to evade Office’s Object Linking and Embedding (OLE) protections.

According to Microsoft, the flaw arises because Office improperly trusts certain embedded data that can contain malicious code. This enables attackers to bypass built-in security mechanisms and potentially execute harmful actions on a victim’s system.

Exploitation occurs when a user opens a specially crafted Office file sent by an attacker, such as a Word or Excel document containing embedded malicious code. As a result, attackers rely on social engineering techniques to trick users into opening the file before an attack or malware installation can take place.

Microsoft said the vulnerability affects multiple Office versions, including Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024 and Microsoft 365 Apps for Enterprise.

The American multinational technology conglomerate clarified that simply previewing a malicious file in Windows Explorer does not trigger the vulnerability, as the Preview Pane is not an attack vector for this issue.

For users of Office 2021 and later, including Microsoft 365, the vulnerability has already been patched and updates are being deployed automatically. However, Office 2016 and Office 2019 have not yet received the fix, with Microsoft stating that patches for these versions will be released as soon as possible.

Microsoft has urged users to avoid opening Office files from untrusted sources and to install all available security updates promptly to reduce the risk of potential attacks.