Microsoft Office Security Feature Bypass Vulnerability
Summary
| CVE | CVE-2026-21509 |
|---|---|
| State | PUBLISHED |
| Assigner | microsoft |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-01-26 18:16:38 UTC |
| Updated | 2026-06-25 05:16:53 UTC |
| Description | Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally. |
Risk And Classification
Primary CVSS: v3.1 7.8 HIGH from [email protected]
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS: 0.721520000 probability, percentile 0.993570000 (date 2026-07-02)
CISA KEV: Listed on 2026-01-26; due 2026-02-16; ransomware use Unknown
Problem Types: CWE-807 | CWE-807 CWE-807: Reliance on Untrusted Inputs in a Security Decision
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| 3.1 | CNA | CVSS | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C |
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
NoneUser Interaction
RequiredScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA Known Exploited Vulnerability
| Vendor | Microsoft |
|---|---|
| Product | Office |
| Name | Microsoft Office Security Feature Bypass Vulnerability |
| Required Action | Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. |
| Notes | Please adhere to Microsoft’s recommended guidelines to address this vulnerability. Implement all final mitigations provided by the vendor for Office 2021, and apply the interim corresponding mitigations for Office 2016 and Office 2019 until the final patch becomes available. For more information please see: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509 ; https://nvd.nist.gov/vuln/detail/CVE-2026-21509 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Microsoft | 365 Apps | - | All | All | All |
| Application | Microsoft | 365 Apps | - | All | All | All |
| Application | Microsoft | Office | 2016 | All | All | All |
| Application | Microsoft | Office | 2016 | All | All | All |
| Application | Microsoft | Office | 2019 | All | All | All |
| Application | Microsoft | Office | 2019 | All | All | All |
| Application | Microsoft | Office Long Term Servicing Channel | 2021 | All | All | All |
| Application | Microsoft | Office Long Term Servicing Channel | 2021 | All | All | All |
| Application | Microsoft | Office Long Term Servicing Channel | 2024 | All | All | All |
| Application | Microsoft | Office Long Term Servicing Channel | 2024 | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Microsoft | Microsoft 365 Apps For Enterprise | affected 16.0.1 https://aka.ms/OfficeSecurityReleases custom | 32-bit Systems, x64-based Systems |
| CNA | Microsoft | Microsoft Office 2016 | affected 16.0.0 16.0.5539.1001 custom | 32-bit Systems, x64-based Systems |
| CNA | Microsoft | Microsoft Office 2019 | affected 19.0.0 16.0.10417.20095 custom | 32-bit Systems, x64-based Systems |
| CNA | Microsoft | Microsoft Office LTSC 2021 | affected 16.0.1 https://aka.ms/OfficeSecurityReleases custom | 32-bit Systems, x64-based Systems |
| CNA | Microsoft | Microsoft Office LTSC 2024 | affected 16.0.0 https://aka.ms/OfficeSecurityReleases custom | 32-bit Systems, x64-based Systems |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.vicarius.io/vsociety/posts/cve-2026-21509-detection-script-microsoft-offi... | af854a3a-2127-422b-91ae-364da2661108 | www.vicarius.io | Third Party Advisory |
| msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509 | [email protected] | msrc.microsoft.com | Vendor Advisory |
| www.cisa.gov/known-exploited-vulnerabilities-catalog | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | www.cisa.gov | US Government Resource |
| www.vicarius.io/vsociety/posts/cve-2026-21509-mitigation-script-microsoft-off... | af854a3a-2127-422b-91ae-364da2661108 | www.vicarius.io | Mitigation, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.