anonhaven
Ad

CVE-2026-21509

HIGH CVSS 3.1: 7.8 EPSS 6.58% ACTIVE EXPLOIT
Updated Jan 27, 2026
Microsoft

CISA Known Exploited Vulnerability (KEV)

This vulnerability is actively exploited in the wild. Immediate patching is strongly recommended.

Due Date: Feb 16, 2026

Parameter Value
CVSS 7.8 (HIGH)
Type CWE-807
Vendor Microsoft
Public PoC Yes

Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.

Attack Parameters

Attack Vector
Local
Requires local access
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-807

Vulnerable Products 10

Configuration From (including) Up to (excluding)
Microsoft 365_Apps
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*
Microsoft 365_Apps
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*
Microsoft Office
cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x64:*
Microsoft Office
cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x86:*
Microsoft Office
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*
Microsoft Office
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*
Microsoft Office_Long_Term_Servicing_Channel
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*
Microsoft Office_Long_Term_Servicing_Channel
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*
Microsoft Office_Long_Term_Servicing_Channel
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*
Microsoft Office_Long_Term_Servicing_Channel
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*

References 2

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509
secure@microsoft.com
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026…
134c704f-9b21-4f2e-91b3-4a467353bcc0
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-4680

Google

8.8

CVE-2026-4679

Google

8.8

CVE-2026-4678

Google

8.8

CVE-2026-4677

Google

8.8

CVE-2026-4676

Google

8.8