Cybersecurity Blog | RedLegg

Security Bulletin: Security Feature Bypass in Microsoft Office OLE / COM Mitigation Controls

Written by RedLegg's Cyber Threat Intelligence Team | 1/27/26 2:38 PM

About:

CVE-2026-21509 is a high-severity security feature bypass vulnerability in Microsoft Office caused by improper trust handling in OLE and COM object validation. The flaw allows attackers to bypass built-in protections designed to block unsafe or vulnerable ActiveX and COM components. This vulnerability is being actively exploited as a zero-day and may be leveraged to facilitate malicious document-based attacks, potentially enabling follow-on code execution or malware delivery.

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.

VULNERABILITIES

Security Feature Bypass in Microsoft Office OLE / COM Mitigation Controls

CVSS Score: 7.8 (High / CVSS 3.1)

Identifier: CVE-2026-21509

Exploit or Proof of Concept (PoC): 
CVE-2026-21509 is actively exploited in the wild as a zero-day. 

Update/ Patch:

Microsoft released out-of-band security updates for supported Microsoft 365 and Office channels to address CVE-2026-21509.
 
Official tracking and update page:
 
Description: 
CVE-2026-21509 is a security feature bypass vulnerability in Microsoft Office caused by improper trust handling in OLE and COM object validation. The flaw allows attackers to bypass protections designed to block vulnerable or unsafe ActiveX and COM components.

 

Mitigation Recommendation:

For environments running Office 2021 and later, a restart is needed for protections to take place.
 
For environments temporarily unable to patch (Office 2016 and 2019), apply Microsoft's registry-based COM compatibility mitigation to block the vulnerable control until updates are deployed.
 

 
View full post