{"api_version":"1","generated_at":"2026-07-04T00:08:39+00:00","cve":"CVE-2026-21509","urls":{"html":"https://cve.report/CVE-2026-21509","api":"https://cve.report/api/cve/CVE-2026-21509.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-21509","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-21509"},"summary":{"title":"Microsoft Office Security Feature Bypass Vulnerability","description":"Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.","state":"PUBLISHED","assigner":"microsoft","published_at":"2026-01-26 18:16:38","updated_at":"2026-06-25 05:16:53"},"problem_types":["CWE-807","CWE-807 CWE-807: Reliance on Untrusted Inputs in a Security Decision"],"metrics":[{"version":"3.1","source":"secure@microsoft.com","type":"Secondary","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C","data":{"baseScore":7.8,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C","version":"3.1"}}],"references":[{"url":"https://www.vicarius.io/vsociety/posts/cve-2026-21509-detection-script-microsoft-office-security-feature-bypass-vulnerability","name":"https://www.vicarius.io/vsociety/posts/cve-2026-21509-detection-script-microsoft-office-security-feature-bypass-vulnerability","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509","name":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509","refsource":"secure@microsoft.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21509","name":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21509","refsource":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["US Government Resource"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.vicarius.io/vsociety/posts/cve-2026-21509-mitigation-script-microsoft-office-security-feature-bypass-vulnerability","name":"https://www.vicarius.io/vsociety/posts/cve-2026-21509-mitigation-script-microsoft-office-security-feature-bypass-vulnerability","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mitigation","Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-21509","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21509","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Microsoft","product":"Microsoft 365 Apps for Enterprise","version":"affected 16.0.1 https://aka.ms/OfficeSecurityReleases custom","platforms":["32-bit Systems","x64-based Systems"]},{"source":"CNA","vendor":"Microsoft","product":"Microsoft Office 2016","version":"affected 16.0.0 16.0.5539.1001 custom","platforms":["32-bit Systems","x64-based Systems"]},{"source":"CNA","vendor":"Microsoft","product":"Microsoft Office 2019","version":"affected 19.0.0 16.0.10417.20095 custom","platforms":["32-bit Systems","x64-based Systems"]},{"source":"CNA","vendor":"Microsoft","product":"Microsoft Office LTSC 2021","version":"affected 16.0.1 https://aka.ms/OfficeSecurityReleases custom","platforms":["32-bit Systems","x64-based Systems"]},{"source":"CNA","vendor":"Microsoft","product":"Microsoft Office LTSC 2024","version":"affected 16.0.0 https://aka.ms/OfficeSecurityReleases custom","platforms":["32-bit Systems","x64-based Systems"]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"21509","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"365_apps","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"enterprise","cpe11":"*","cpe12":"x64","cpe13":"*"},{"cve_year":"2026","cve_id":"21509","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"365_apps","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"enterprise","cpe11":"*","cpe12":"x86","cpe13":"*"},{"cve_year":"2026","cve_id":"21509","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"office","cpe6":"2016","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"x64","cpe13":"*"},{"cve_year":"2026","cve_id":"21509","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"office","cpe6":"2016","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"x86","cpe13":"*"},{"cve_year":"2026","cve_id":"21509","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"office","cpe6":"2019","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"x64","cpe13":"*"},{"cve_year":"2026","cve_id":"21509","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"office","cpe6":"2019","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"x86","cpe13":"*"},{"cve_year":"2026","cve_id":"21509","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"office_long_term_servicing_channel","cpe6":"2021","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"-","cpe12":"x64","cpe13":"*"},{"cve_year":"2026","cve_id":"21509","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"office_long_term_servicing_channel","cpe6":"2021","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"-","cpe12":"x86","cpe13":"*"},{"cve_year":"2026","cve_id":"21509","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"office_long_term_servicing_channel","cpe6":"2024","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"-","cpe12":"x64","cpe13":"*"},{"cve_year":"2026","cve_id":"21509","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"office_long_term_servicing_channel","cpe6":"2024","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"-","cpe12":"x86","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":{"cve_year":"2026","cve_id":"21509","cve":"CVE-2026-21509","vendorProject":"Microsoft","product":"Office","vulnerabilityName":"Microsoft Office Security Feature Bypass Vulnerability","dateAdded":"2026-01-26","shortDescription":"Microsoft Office contains a security feature bypass vulnerability in which reliance on untrusted inputs in a security decision in Microsoft Office could allow an unauthorized attacker to bypass a security feature locally. Some of the impacted product(s) could be end-of-life (EoL) and/or end-of-service (EoS). Users are advised to discontinue use and/or transition to a supported version.","requiredAction":"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.","dueDate":"2026-02-16","knownRansomwareCampaignUse":"Unknown","notes":"Please adhere to Microsoft’s recommended guidelines to address this vulnerability. Implement all final mitigations provided by the vendor for Office 2021, and apply the interim corresponding mitigations for Office 2016 and Office 2019 until the final patch becomes available. For more information please see: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509 ; https://nvd.nist.gov/vuln/detail/CVE-2026-21509","cwes":"CWE-807","catalogVersion":"2026.07.01","updated_at":"2026-07-01 19:35:15"},"epss":{"cve_year":"2026","cve_id":"21509","cve":"CVE-2026-21509","epss":"0.721520000","percentile":"0.993580000","score_date":"2026-07-03","updated_at":"2026-07-04 00:02:20"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-21509","options":[{"Exploitation":"active"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-01-26T00:00:00+00:00","version":"2.0.3"},"type":"ssvc"}},{"other":{"content":{"dateAdded":"2026-01-26","reference":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21509"},"type":"kev"}}],"providerMetadata":{"dateUpdated":"2026-06-25T03:55:21.534Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["government-resource"],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21509"}],"title":"CISA ADP Vulnrichment"},{"providerMetadata":{"dateUpdated":"2026-02-10T14:57:48.648Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"url":"https://www.vicarius.io/vsociety/posts/cve-2026-21509-detection-script-microsoft-office-security-feature-bypass-vulnerability"},{"url":"https://www.vicarius.io/vsociety/posts/cve-2026-21509-mitigation-script-microsoft-office-security-feature-bypass-vulnerability"}],"title":"CVE Program Container","x_generator":{"engine":"ADPogram 0.0.1"}}],"cna":{"affected":[{"platforms":["32-bit Systems","x64-based Systems"],"product":"Microsoft 365 Apps for Enterprise","vendor":"Microsoft","versions":[{"lessThan":"https://aka.ms/OfficeSecurityReleases","status":"affected","version":"16.0.1","versionType":"custom"}]},{"platforms":["32-bit Systems","x64-based Systems"],"product":"Microsoft Office 2016","vendor":"Microsoft","versions":[{"lessThan":"16.0.5539.1001","status":"affected","version":"16.0.0","versionType":"custom"}]},{"platforms":["32-bit Systems","x64-based Systems"],"product":"Microsoft Office 2019","vendor":"Microsoft","versions":[{"lessThan":"16.0.10417.20095","status":"affected","version":"19.0.0","versionType":"custom"}]},{"platforms":["32-bit Systems","x64-based Systems"],"product":"Microsoft Office LTSC 2021","vendor":"Microsoft","versions":[{"lessThan":"https://aka.ms/OfficeSecurityReleases","status":"affected","version":"16.0.1","versionType":"custom"}]},{"platforms":["32-bit Systems","x64-based Systems"],"product":"Microsoft Office LTSC 2024","vendor":"Microsoft","versions":[{"lessThan":"https://aka.ms/OfficeSecurityReleases","status":"affected","version":"16.0.0","versionType":"custom"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*","versionEndExcluding":"16.0.10417.20095","versionStartIncluding":"19.0.0","vulnerable":true},{"criteria":"cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*","versionEndExcluding":"https://aka.ms/OfficeSecurityReleases","versionStartIncluding":"16.0.1","vulnerable":true},{"criteria":"cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*","versionEndExcluding":"https://aka.ms/OfficeSecurityReleases","versionStartIncluding":"16.0.1","vulnerable":true},{"criteria":"cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*","versionEndExcluding":"https://aka.ms/OfficeSecurityReleases","versionStartIncluding":"16.0.0","vulnerable":true},{"criteria":"cpe:2.3:a:microsoft:office_2016:*:*:*:*:*:*:x86:*","versionEndExcluding":"16.0.5539.1001","versionStartIncluding":"16.0.0","vulnerable":true}],"negate":false,"operator":"OR"}]}],"datePublic":"2026-01-26T16:00:00.000Z","descriptions":[{"lang":"en-US","value":"Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally."}],"metrics":[{"cvssV3_1":{"baseScore":7.8,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en-US","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-807","description":"CWE-807: Reliance on Untrusted Inputs in a Security Decision","lang":"en-US","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-01T13:49:28.047Z","orgId":"f38d906d-7342-40ea-92c1-6c4a2c6478c8","shortName":"microsoft"},"references":[{"name":"Microsoft Office Security Feature Bypass Vulnerability","tags":["vendor-advisory","patch"],"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509"}],"title":"Microsoft Office Security Feature Bypass Vulnerability"}},"cveMetadata":{"assignerOrgId":"f38d906d-7342-40ea-92c1-6c4a2c6478c8","assignerShortName":"microsoft","cveId":"CVE-2026-21509","datePublished":"2026-01-26T17:06:35.512Z","dateReserved":"2025-12-30T18:10:54.844Z","dateUpdated":"2026-06-25T03:55:21.534Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-01-26 18:16:38","lastModifiedDate":"2026-06-25 05:16:53","problem_types":["CWE-807","CWE-807 CWE-807: Reliance on Untrusted Inputs in a Security Decision"],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-01-26T00:00:00+00:00","id":"CVE-2026-21509","options":[{"exploitation":"active"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*","matchCriteriaId":"3259EBFE-AE2D-48B8-BE9A-E22BBDB31378"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*","matchCriteriaId":"CD25F492-9272-4836-832C-8439EBE64CCF"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x64:*","matchCriteriaId":"72324216-4EB3-4243-A007-FEF3133C7DF9"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x86:*","matchCriteriaId":"0FBB0E61-7997-4F26-9C07-54912D3F1C10"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*","matchCriteriaId":"CF5DDD09-902E-4881-98D0-CB896333B4AA"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*","matchCriteriaId":"26A3B226-5D7C-4556-9350-5222DC8EFC2C"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*","matchCriteriaId":"851BAC4E-9965-4F40-9A6C-B73D9004F4C1"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*","matchCriteriaId":"23B2FA23-76F4-4D83-A718-B8D04D7EA37B"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*","matchCriteriaId":"D31E509A-0B2E-4B41-88C4-0099E800AFE6"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*","matchCriteriaId":"017A7041-BEF1-4E4E-AC8A-EFC6AFEB01FE"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"21509","Ordinal":"1","Title":"Microsoft Office Security Feature Bypass Vulnerability","CVE":"CVE-2026-21509","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"21509","Ordinal":"1","NoteData":"Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.","Type":"Description","Title":"Microsoft Office Security Feature Bypass Vulnerability"}]}}}