CVE-2026-21509: Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally
▪️Zero Day: Yes; Actively exploited
▪️CVSS: 7.8
▪️CVE Published: Today, January 26th, 2026
Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509
Affected Products:
▪️Microsoft Office 2016 (64-bit edition)
▪️Microsoft Office 2016 (32-bit edition)
▪️Microsoft Office LTSC 2024 for 64-bit editions
▪️Microsoft Office LTSC 2024 for 32-bit editions
▪️Microsoft Office LTSC 2021 for 32-bit editions
▪️Microsoft Office LTSC 2021 for 64-bit editions
▪️Microsoft 365 Apps for Enterprise for 64-bit Systems
▪️Microsoft 365 Apps for Enterprise for 32-bit Systems
▪️Microsoft Office 2019 for 64-bit editions
▪️Microsoft Office 2019 for 32-bit editions
Mitigations per Microsoft Advisory article:
Customers on Office 2021 and later will be automatically protected via a service-side change, but will be required to restart their Office applications for this to take effect.
Customers on Office 2016 and 2019 are not protected until they install the upcoming security update. Customers on these versions can apply the registry keys described below to be immediately protected.
Microsoft Office:
- To start blocking please add the following regKeys:
Caution: Follow these steps carefully. Serious problems may occur if you modify the registry incorrectly. Before you start we recommend that you have a known good backup of your registry. See this article for more information: https://support.microsoft.com/en-us/help/322756/how-to-back-up-and-restore-the-registry-in-windows
Exit all Microsoft Office applications Start the Registry Editor by tapping Start (or pressing the Windows key on your keyboard) then typing regedit and pressing enter.
- Locate the proper registry subkey. It will be one of the following:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\ (for 64-bit MSI Office, or 32-bit MSI Office on 32-bit Windows)
or
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\ (for 32-bit MSI Office on 64-bit Windows)
or
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\16.0\Common\COM Compatibility\ ( (for 64-bit Click2Run Office, or 32-bit Click2Run Office on 32-bit Windows)
or
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\ (for 32-bit Click2Run Office on 64-bit Windows)
Note: The COM Compatibility node may not be present by default. If you don't see it, add it by right-clicking the Common node and choosing Add Key.
- Add a new subkey named {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} by right-clicking the COM Compatibility node and choosing Add Key.
Within that new subkey we're going to add one new value by right-clicking the new subkey and choosing New > DWORD (32-bit) Value.
A REG_DWORD hexadecimal value called Compatibility Flags with a value of 400.
Exit Registry Editor and start your Office application.
Example
For example, in Office 2016, 64-bit, on Windows you would locate this registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\
Note: Remember, if the COM Compatibility node doesn't exist yet you'll need to create it.
Then add a subkey with the name {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}.
In this case, the resulting path is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}.
To that subkey you'll add a REG_DWORD value called Compatibility Flags with a value of 400.
![[Video] CVE-2025-6389: WordPress Sneeit Framework plugin vulnerability currently under active exploitation](/content/images/size/w1304/format/webp/2026/01/CVE-2025-6389.png)
