CVE-2026-21514

ENISA EUVD: EUVD-2026-7334 ↗

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: Feb. 18, 2026 9 articles Published: 2026-02-10

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-24

4.96%

probability

This CVE has a 4.96% probability of being exploited in the next 30 days.

0% Top 89.8th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

7.8

HIGH

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Temporal

Exploit Code Maturity

Functional

Remediation Level

Official Fix

Report Confidence

Confirmed

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

Description

VulnerabilityLookup (CNA)

Reliance on untrusted inputs in a security decision in Microsoft Office Word allows an unauthorized attacker to bypass a security feature locally.

Affected Products

Microsoft

Microsoft 365 Apps for Enterprise

16.0.1

Microsoft

Microsoft Office LTSC 2021

16.0.1

Microsoft

Microsoft Office LTSC 2024

16.0.0

Microsoft

Microsoft Office LTSC for Mac 2021

16.0.1

Microsoft

Microsoft Office LTSC for Mac 2024

16.0.0

Microsoft

Microsoft Office LTSC 2021

16.0.1 <https://aka.ms/OfficeSecurityReleases

Microsoft

Microsoft Office LTSC 2024

16.0.0 <https://aka.ms/OfficeSecurityReleases

Microsoft

Microsoft Office LTSC for Mac 2024

16.0.0 <16.106.26020821

Microsoft

Microsoft 365 Apps for Enterprise

16.0.1 <https://aka.ms/OfficeSecurityReleases

Microsoft

Microsoft Office LTSC 2021

16.0.1 <https://aka.ms/OfficeSecurityReleases

Microsoft

Microsoft Office LTSC 2024

16.0.0 <https://aka.ms/OfficeSecurityReleases

Microsoft

Microsoft 365 Apps for Enterprise

16.0.1 <https://aka.ms/OfficeSecurityReleases

Microsoft

Microsoft Office LTSC for Mac 2021

16.0.1 <16.106.26020821

Microsoft

Microsoft Office LTSC for Mac 2021

16.0.1 <16.106.26020821

Microsoft

Microsoft Office LTSC for Mac 2024

16.0.0 <16.106.26020821

Attack Intelligence

CWE-693 · Protection Mechanism Failure CWE-807 · Reliance on Untrusted Inputs

Google Project Zero

Patched

Feb. 10, 2026

Reported by

Google Threat Intelligence Group, Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), and Office Product Group Security Team

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21514

vendor-advisory patch

Signal Intelligence

Confidenceⓘ

92%

EPSS 4.96%

CVSS v3.1 7.8

Mentions 9

Last Seen Mar 20, 2026

CNA Information

CNA Assigner

microsoft

CNA Title

Microsoft Word Security Feature Bypass Vulnerability

Analyst Note

CVE-2026-21514 is confirmed as a zero-day vulnerability actively exploited in the wild, as evidenced by multiple high-signal sources reporting it among Microsoft's February 2026 Patch Tuesday fixes for six actively exploited zero-days. The vulnerability affects a widely-used product (Microsoft 365 Apps for Enterprise) with a HIGH CVSS score (7.8) and has garnered significant coverage from authoritative cybersecurity outlets including Google Project Zero validation.

Threat Actors 2

Ice Fog

apt_group Information theft and espionage 🇨🇳 CN

Nomad Panda

apt_group Information theft and espionage 🇨🇳 CN

Triage Info

Decided atFeb 18, 2026

Published DateFeb 10, 2026