CVE-2026-21509

ENISA EUVD: EUVD-2026-4666 ↗

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: Feb. 18, 2026 6 articles Published: 2026-01-26

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

11.44%

probability

This CVE has a 11.44% probability of being exploited in the next 30 days.

0% Top 93.7th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

7.8

HIGH

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Temporal

Exploit Code Maturity

Functional

Remediation Level

Official Fix

Report Confidence

Confirmed

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

Description

NVD

Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.

Affected Products

Microsoft

Microsoft 365 Apps for Enterprise

16.0.1

Microsoft

Microsoft Office 2016

16.0.0

Microsoft

Microsoft Office 2019

19.0.0

Microsoft

Microsoft Office LTSC 2021

16.0.1

Microsoft

Microsoft Office LTSC 2024

16.0.0

microsoft

365 apps

microsoft

office

microsoft

office long term servicing channel

Microsoft

Microsoft Office 2019

19.0.0 <16.0.10417.20095

Microsoft

Microsoft Office LTSC 2021

16.0.1 <https://aka.ms/OfficeSecurityReleases

Microsoft

Microsoft Office 2016

Microsoft

Microsoft Office LTSC 2024

16.0.0 <https://aka.ms/OfficeSecurityReleases

Microsoft

Microsoft 365 Apps for Enterprise

16.0.1 <https://aka.ms/OfficeSecurityReleases

Microsoft

Microsoft Office 2016

16.0.0 <16.0.5539.1001

Microsoft

Microsoft Office 2019

Attack Intelligence

CWE-693 · Protection Mechanism Failure CWE-807 · Reliance on Untrusted Inputs

Google Project Zero

Patched

Jan. 26, 2026

Reported by

Google Threat Intelligence Group, Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), and Office Product Group Security Team

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509

vendor-advisory patch

Signal Intelligence

Confidenceⓘ

92%

EPSS 11.44%

CVSS v3.1 7.8

Mentions 6

Last Seen Mar 02, 2026

CNA Information

CNA Assigner

microsoft

CNA Title

Microsoft Office Security Feature Bypass Vulnerability

Analyst Note

CVE-2026-21509 is confirmed as a zero-day with strong evidence: Microsoft issued out-of-band patches for active exploitation, it is tracked in Google Project Zero, and multiple credible sources (TheHackerNews, BleepingComputer) document active attacks by APT28. The HIGH CVSS score (7.8) and documented weaponization in espionage-focused campaigns further validate the threat severity.