Vulnerability-Lookup

CVE-2026-21509 (GCVE-0-2026-21509)

Vulnerability from cvelistv5 – Published: 2026-01-26 17:06 – Updated: 2026-01-27 13:34

CISA

Title

Microsoft Office Security Feature Bypass Vulnerability

Summary

Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

CWE

CWE-807 - Reliance on Untrusted Inputs in a Security Decision

Assigner

microsoft

References

URL

CISA Known Exploited Vulnerability

Data from the CISA Known Exploited Vulnerabilities Catalog

Date added: 2026-01-26

Due date: 2026-02-16

Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Used in ransomware: Unknown

Notes: Please adhere to Microsoft’s recommended guidelines to address this vulnerability. Implement all final mitigations provided by the vendor for Office 2021, and apply the interim corresponding mitigations for Office 2016 and Office 2019 until the final patch becomes available. For more information please see: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509 ; https://nvd.nist.gov/vuln/detail/CVE-2026-21509

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-21509",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-27T13:34:19.867845Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2026-01-26",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21509"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-27T13:34:26.498Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21509"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.10417.20095",
              "status": "affected",
              "version": "19.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft 365 Apps for Enterprise",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "16.0.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems",
            "32-bit Systems"
          ],
          "product": "Microsoft Office LTSC 2021",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "16.0.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office LTSC 2024",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "https://aka.ms/OfficeSecurityReleases",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Microsoft Office 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "16.0.5539.1001",
              "status": "affected",
              "version": "16.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "16.0.10417.20095",
                  "versionStartIncluding": "19.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "16.0.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "16.0.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*",
                  "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:office_2016:*:*:*:*:*:*:x86:*",
                  "versionEndExcluding": "16.0.5539.1001",
                  "versionStartIncluding": "16.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-01-26T08:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-807",
              "description": "CWE-807: Reliance on Untrusted Inputs in a Security Decision",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-27T01:35:46.827Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Office Security Feature Bypass Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509"
        }
      ],
      "title": "Microsoft Office Security Feature Bypass Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-21509",
    "datePublished": "2026-01-26T17:06:35.512Z",
    "dateReserved": "2025-12-30T18:10:54.844Z",
    "dateUpdated": "2026-01-27T13:34:26.498Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2026-21509",
      "cwes": "[\"CWE-807\"]",
      "dateAdded": "2026-01-26",
      "dueDate": "2026-02-16",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "Please adhere to Microsoft\u2019s recommended guidelines to address this vulnerability. Implement all final mitigations provided by the vendor for Office 2021, and apply the interim corresponding mitigations for Office 2016 and Office 2019 until the final patch becomes available. For more information please see: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509 ; https://nvd.nist.gov/vuln/detail/CVE-2026-21509",
      "product": "Office",
      "requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
      "shortDescription": "Microsoft Office contains a security feature bypass vulnerability in which reliance on untrusted inputs in a security decision in Microsoft Office could allow an unauthorized attacker to bypass a security feature locally. Some of the impacted product(s) could be end-of-life (EoL) and/or end-of-service (EoS). Users are advised to discontinue use and/or transition to a supported version.",
      "vendorProject": "Microsoft",
      "vulnerabilityName": "Microsoft Office Security Feature Bypass Vulnerability"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-21509\",\"sourceIdentifier\":\"secure@microsoft.com\",\"published\":\"2026-01-26T18:16:38.540\",\"lastModified\":\"2026-01-27T16:19:42.330\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secure@microsoft.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"cisaExploitAdd\":\"2026-01-26\",\"cisaActionDue\":\"2026-02-16\",\"cisaRequiredAction\":\"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.\",\"cisaVulnerabilityName\":\"Microsoft Office Security Feature Bypass Vulnerability\",\"weaknesses\":[{\"source\":\"secure@microsoft.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-807\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*\",\"matchCriteriaId\":\"3259EBFE-AE2D-48B8-BE9A-E22BBDB31378\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*\",\"matchCriteriaId\":\"CD25F492-9272-4836-832C-8439EBE64CCF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x64:*\",\"matchCriteriaId\":\"72324216-4EB3-4243-A007-FEF3133C7DF9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x86:*\",\"matchCriteriaId\":\"0FBB0E61-7997-4F26-9C07-54912D3F1C10\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*\",\"matchCriteriaId\":\"CF5DDD09-902E-4881-98D0-CB896333B4AA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*\",\"matchCriteriaId\":\"26A3B226-5D7C-4556-9350-5222DC8EFC2C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*\",\"matchCriteriaId\":\"851BAC4E-9965-4F40-9A6C-B73D9004F4C1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*\",\"matchCriteriaId\":\"23B2FA23-76F4-4D83-A718-B8D04D7EA37B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*\",\"matchCriteriaId\":\"D31E509A-0B2E-4B41-88C4-0099E800AFE6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*\",\"matchCriteriaId\":\"017A7041-BEF1-4E4E-AC8A-EFC6AFEB01FE\"}]}]}],\"references\":[{\"url\":\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21509\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-21509\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-27T13:34:19.867845Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2026-01-26\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21509\"}}}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21509\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-26T19:14:57.747Z\"}}], \"cna\": {\"title\": \"Microsoft Office Security Feature Bypass Vulnerability\", \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C\"}, \"scenarios\": [{\"lang\": \"en-US\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Microsoft\", \"product\": \"Microsoft Office 2019\", \"versions\": [{\"status\": \"affected\", \"version\": \"19.0.0\", \"lessThan\": \"16.0.10417.20095\", \"versionType\": \"custom\"}], \"platforms\": [\"32-bit Systems\", \"x64-based Systems\"]}, {\"vendor\": \"Microsoft\", \"product\": \"Microsoft 365 Apps for Enterprise\", \"versions\": [{\"status\": \"affected\", \"version\": \"16.0.1\", \"lessThan\": \"https://aka.ms/OfficeSecurityReleases\", \"versionType\": \"custom\"}], \"platforms\": [\"32-bit Systems\", \"x64-based Systems\"]}, {\"vendor\": \"Microsoft\", \"product\": \"Microsoft Office LTSC 2021\", \"versions\": [{\"status\": \"affected\", \"version\": \"16.0.1\", \"lessThan\": \"https://aka.ms/OfficeSecurityReleases\", \"versionType\": \"custom\"}], \"platforms\": [\"x64-based Systems\", \"32-bit Systems\"]}, {\"vendor\": \"Microsoft\", \"product\": \"Microsoft Office LTSC 2024\", \"versions\": [{\"status\": \"affected\", \"version\": \"16.0.0\", \"lessThan\": \"https://aka.ms/OfficeSecurityReleases\", \"versionType\": \"custom\"}], \"platforms\": [\"32-bit Systems\", \"x64-based Systems\"]}, {\"vendor\": \"Microsoft\", \"product\": \"Microsoft Office 2016\", \"versions\": [{\"status\": \"affected\", \"version\": \"16.0.0\", \"lessThan\": \"16.0.5539.1001\", \"versionType\": \"custom\"}], \"platforms\": [\"32-bit Systems\", \"x64-based Systems\"]}], \"datePublic\": \"2026-01-26T08:00:00.000Z\", \"references\": [{\"url\": \"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509\", \"name\": \"Microsoft Office Security Feature Bypass Vulnerability\", \"tags\": [\"vendor-advisory\", \"patch\"]}], \"descriptions\": [{\"lang\": \"en-US\", \"value\": \"Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en-US\", \"type\": \"CWE\", \"cweId\": \"CWE-807\", \"description\": \"CWE-807: Reliance on Untrusted Inputs in a Security Decision\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"16.0.10417.20095\", \"versionStartIncluding\": \"19.0.0\"}, {\"criteria\": \"cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"https://aka.ms/OfficeSecurityReleases\", \"versionStartIncluding\": \"16.0.1\"}, {\"criteria\": \"cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"https://aka.ms/OfficeSecurityReleases\", \"versionStartIncluding\": \"16.0.1\"}, {\"criteria\": \"cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"https://aka.ms/OfficeSecurityReleases\", \"versionStartIncluding\": \"16.0.0\"}, {\"criteria\": \"cpe:2.3:a:microsoft:office_2016:*:*:*:*:*:*:x86:*\", \"vulnerable\": true, \"versionEndExcluding\": \"16.0.5539.1001\", \"versionStartIncluding\": \"16.0.0\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"f38d906d-7342-40ea-92c1-6c4a2c6478c8\", \"shortName\": \"microsoft\", \"dateUpdated\": \"2026-01-27T01:35:46.827Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-21509\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-27T13:34:26.498Z\", \"dateReserved\": \"2025-12-30T18:10:54.844Z\", \"assignerOrgId\": \"f38d906d-7342-40ea-92c1-6c4a2c6478c8\", \"datePublished\": \"2026-01-26T17:06:35.512Z\", \"assignerShortName\": \"microsoft\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

MSRC_CVE-2026-21509

Vulnerability from csaf_microsoft - Published: 2026-01-13 08:00 - Updated: 2026-01-26 08:00

Summary

Microsoft Office Security Feature Bypass Vulnerability

Notes

Additional Resources

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer

The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Customer Action

Required. The vulnerability documented by this CVE requires customer action to resolve.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.microsoft.com/en-us/msrc/security-update-severity-rating-system",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      },
      {
        "category": "general",
        "text": "Required. The vulnerability documented by this CVE requires customer action to resolve.",
        "title": "Customer Action"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2026-21509 Microsoft Office Security Feature Bypass Vulnerability - HTML",
        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509"
      },
      {
        "category": "self",
        "summary": "CVE-2026-21509 Microsoft Office Security Feature Bypass Vulnerability - CSAF",
        "url": "https://msrc.microsoft.com/csaf/advisories/2026/msrc_cve-2026-21509.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Exploitability Index",
        "url": "https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "Microsoft Office Security Feature Bypass Vulnerability",
    "tracking": {
      "current_release_date": "2026-01-26T08:00:00.000Z",
      "generator": {
        "date": "2026-01-26T17:05:11.528Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2026-21509",
      "initial_release_date": "2026-01-13T08:00:00.000Z",
      "revision_history": [
        {
          "date": "2026-01-26T08:00:00.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_version_range",
            "name": "\u003chttps://aka.ms/OfficeSecurityReleases",
            "product": {
              "name": "Microsoft 365 Apps for Enterprise for 32-bit Systems \u003chttps://aka.ms/OfficeSecurityReleases",
              "product_id": "6"
            }
          },
          {
            "category": "product_version",
            "name": "https://aka.ms/OfficeSecurityReleases",
            "product": {
              "name": "Microsoft 365 Apps for Enterprise for 32-bit Systems https://aka.ms/OfficeSecurityReleases",
              "product_id": "11762"
            }
          }
        ],
        "category": "product_name",
        "name": "Microsoft 365 Apps for Enterprise for 32-bit Systems"
      },
      {
        "branches": [
          {
            "category": "product_version_range",
            "name": "\u003chttps://aka.ms/OfficeSecurityReleases",
            "product": {
              "name": "Microsoft 365 Apps for Enterprise for 64-bit Systems \u003chttps://aka.ms/OfficeSecurityReleases",
              "product_id": "5"
            }
          },
          {
            "category": "product_version",
            "name": "https://aka.ms/OfficeSecurityReleases",
            "product": {
              "name": "Microsoft 365 Apps for Enterprise for 64-bit Systems https://aka.ms/OfficeSecurityReleases",
              "product_id": "11763"
            }
          }
        ],
        "category": "product_name",
        "name": "Microsoft 365 Apps for Enterprise for 64-bit Systems"
      },
      {
        "branches": [
          {
            "category": "product_version_range",
            "name": "\u003chttps://aka.ms/OfficeSecurityReleases",
            "product": {
              "name": "Microsoft Office LTSC 2021 for 64-bit editions \u003chttps://aka.ms/OfficeSecurityReleases",
              "product_id": "4"
            }
          },
          {
            "category": "product_version",
            "name": "https://aka.ms/OfficeSecurityReleases",
            "product": {
              "name": "Microsoft Office LTSC 2021 for 64-bit editions https://aka.ms/OfficeSecurityReleases",
              "product_id": "11952"
            }
          }
        ],
        "category": "product_name",
        "name": "Microsoft Office LTSC 2021 for 64-bit editions"
      },
      {
        "branches": [
          {
            "category": "product_version_range",
            "name": "\u003chttps://aka.ms/OfficeSecurityReleases",
            "product": {
              "name": "Microsoft Office LTSC 2021 for 32-bit editions \u003chttps://aka.ms/OfficeSecurityReleases",
              "product_id": "3"
            }
          },
          {
            "category": "product_version",
            "name": "https://aka.ms/OfficeSecurityReleases",
            "product": {
              "name": "Microsoft Office LTSC 2021 for 32-bit editions https://aka.ms/OfficeSecurityReleases",
              "product_id": "11953"
            }
          }
        ],
        "category": "product_name",
        "name": "Microsoft Office LTSC 2021 for 32-bit editions"
      },
      {
        "branches": [
          {
            "category": "product_version_range",
            "name": "\u003chttps://aka.ms/OfficeSecurityReleases",
            "product": {
              "name": "Microsoft Office LTSC 2024 for 32-bit editions \u003chttps://aka.ms/OfficeSecurityReleases",
              "product_id": "2"
            }
          },
          {
            "category": "product_version",
            "name": "https://aka.ms/OfficeSecurityReleases",
            "product": {
              "name": "Microsoft Office LTSC 2024 for 32-bit editions https://aka.ms/OfficeSecurityReleases",
              "product_id": "12420"
            }
          }
        ],
        "category": "product_name",
        "name": "Microsoft Office LTSC 2024 for 32-bit editions"
      },
      {
        "branches": [
          {
            "category": "product_version_range",
            "name": "\u003chttps://aka.ms/OfficeSecurityReleases",
            "product": {
              "name": "Microsoft Office LTSC 2024 for 64-bit editions \u003chttps://aka.ms/OfficeSecurityReleases",
              "product_id": "1"
            }
          },
          {
            "category": "product_version",
            "name": "https://aka.ms/OfficeSecurityReleases",
            "product": {
              "name": "Microsoft Office LTSC 2024 for 64-bit editions https://aka.ms/OfficeSecurityReleases",
              "product_id": "12421"
            }
          }
        ],
        "category": "product_name",
        "name": "Microsoft Office LTSC 2024 for 64-bit editions"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-21509",
      "cwe": {
        "id": "CWE-807",
        "name": "Reliance on Untrusted Inputs in a Security Decision"
      },
      "notes": [
        {
          "category": "general",
          "text": "Microsoft",
          "title": "Assigning CNA"
        },
        {
          "category": "faq",
          "text": "An attacker must send a user a malicious Office file and convince them to open it.",
          "title": "According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?"
        },
        {
          "category": "faq",
          "text": "The security update for Microsoft Office Client 2016 and 2019 versions are not immediately available. These updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE.",
          "title": "Are the updates for the Microsoft Office Client versions currently available?"
        },
        {
          "category": "faq",
          "text": "This update addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls.",
          "title": "What kind of security feature could be bypassed by successfully exploiting this vulnerability?"
        },
        {
          "category": "faq",
          "text": "No, the Preview Pane is not an attack vector.",
          "title": "Is the Preview Pane an attack vector for this vulnerability?"
        }
      ],
      "product_status": {
        "fixed": [
          "10753",
          "10754",
          "11573",
          "11574",
          "11762",
          "11763",
          "11952",
          "11953",
          "12420",
          "12421"
        ],
        "known_affected": [
          "1",
          "2",
          "3",
          "4",
          "5",
          "6",
          "7",
          "8",
          "9",
          "10"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-21509 Microsoft Office Security Feature Bypass Vulnerability - HTML",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509"
        },
        {
          "category": "self",
          "summary": "CVE-2026-21509 Microsoft Office Security Feature Bypass Vulnerability - CSAF",
          "url": "https://msrc.microsoft.com/csaf/advisories/2026/msrc_cve-2026-21509.json"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-01-26T08:00:00.000Z",
          "details": "https://aka.ms/OfficeSecurityReleases:Security Update:https://docs.microsoft.com/en-us/officeupdates/office365-proplus-security-updates",
          "product_ids": [
            "6",
            "5",
            "4",
            "3",
            "2",
            "1"
          ],
          "url": "https://docs.microsoft.com/en-us/officeupdates/office365-proplus-security-updates"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalsScore": 0.0,
            "exploitCodeMaturity": "UNPROVEN",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "remediationLevel": "OFFICIAL_FIX",
            "reportConfidence": "CONFIRMED",
            "scope": "UNCHANGED",
            "temporalScore": 6.8,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "1",
            "2",
            "3",
            "4",
            "5",
            "6",
            "7",
            "8",
            "9",
            "10"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Security Feature Bypass"
        },
        {
          "category": "exploit_status",
          "details": "Publicly Disclosed:Yes;Exploited:Yes;Latest Software Release:Exploitation Detected"
        }
      ],
      "title": "Microsoft Office Security Feature Bypass Vulnerability"
    }
  ]
}

FKIE_CVE-2026-21509

Vulnerability from fkie_nvd - Published: 2026-01-26 18:16 - Updated: 2026-01-27 16:19

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.

References

	URL	Tags
	secure@microsoft.com	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509	Vendor Advisory
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21509	US Government Resource

Impacted products

Vendor	Product	Version
microsoft	365_apps	-
microsoft	365_apps	-
microsoft	office	2016
microsoft	office	2016
microsoft	office	2019
microsoft	office	2019
microsoft	office_long_term_servicing_channel	2021
microsoft	office_long_term_servicing_channel	2021
microsoft	office_long_term_servicing_channel	2024
microsoft	office_long_term_servicing_channel	2024

JSON

To clipboard

{
  "cisaActionDue": "2026-02-16",
  "cisaExploitAdd": "2026-01-26",
  "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
  "cisaVulnerabilityName": "Microsoft Office Security Feature Bypass Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*",
              "matchCriteriaId": "3259EBFE-AE2D-48B8-BE9A-E22BBDB31378",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*",
              "matchCriteriaId": "CD25F492-9272-4836-832C-8439EBE64CCF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x64:*",
              "matchCriteriaId": "72324216-4EB3-4243-A007-FEF3133C7DF9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x86:*",
              "matchCriteriaId": "0FBB0E61-7997-4F26-9C07-54912D3F1C10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*",
              "matchCriteriaId": "CF5DDD09-902E-4881-98D0-CB896333B4AA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*",
              "matchCriteriaId": "26A3B226-5D7C-4556-9350-5222DC8EFC2C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*",
              "matchCriteriaId": "851BAC4E-9965-4F40-9A6C-B73D9004F4C1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*",
              "matchCriteriaId": "23B2FA23-76F4-4D83-A718-B8D04D7EA37B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*",
              "matchCriteriaId": "D31E509A-0B2E-4B41-88C4-0099E800AFE6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*",
              "matchCriteriaId": "017A7041-BEF1-4E4E-AC8A-EFC6AFEB01FE",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally."
    }
  ],
  "id": "CVE-2026-21509",
  "lastModified": "2026-01-27T16:19:42.330",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "secure@microsoft.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-26T18:16:38.540",
  "references": [
    {
      "source": "secure@microsoft.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21509"
    }
  ],
  "sourceIdentifier": "secure@microsoft.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-807"
        }
      ],
      "source": "secure@microsoft.com",
      "type": "Secondary"
    }
  ]
}

NCSC-2026-0039

Vulnerability from csaf_ncscnl - Published: 2026-01-27 07:27 - Updated: 2026-01-27 07:27

Summary

ZeroDay kwetsbaarheid verholpen in Microsoft Office

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten

Microsoft heeft een ZeroDay kwetsbaarheid verholpen in Microsoft Office.

Interpretaties

De kwetsbaarheid bevindt zich in de wijze waarop Microsoft Office omgaat met onbetrouwbare invoer, wat aanvallers in staat stelt om beveiligingsfuncties lokaal te omzeilen. Dit kan de integriteit van beveiligingsbeslissingen die door de software worden genomen, beïnvloeden. De afhankelijkheid van onbetrouwbare invoer creëert een pad voor potentiële exploitatie, wat kan leiden tot ongeautoriseerde toegang of acties binnen de getroffen systemen. Voor succesvol misbruik moet de kwaadwillende lokale toegang tot het kwetsbare systeem hebben. Dit kan ook mogelijk worden verwezenlijkt door het slachtoffer te misleiden een malafide document te openen. Microsoft geeft aan op de hoogte te zijn dat exploitcode gedeeld wordt. De exploitcode is (nog) niet publiek beschikbaar. Het Amerikaanse CISA heeft de kwetsbaarheid op de Known Exploited Vulnerabilities-lijst geplaatst, wat inhoudt dat misbruik van de kwetsbaarheid is bevestigd bij een Amerikaanse Federale overheids-organisatie.

Oplossingen

Microsoft heeft updates uitgebracht om de kwetsbaarheid te verhelpen voor Office 2021. Voor Office 2016 en 2019 zijn (nog) geen updates beschikbaar, maar deze worden zeer spoedig verwacht. Wel zijn er mitigerende maatregelen beschikbaar om het risico van misbruik zoveel mogelijk te beperken. Zie bijgevoegde referenties voor meer informatie.

Kans

medium

Schade

high

CWE-807

Reliance on Untrusted Inputs in a Security Decision

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Microsoft heeft een ZeroDay kwetsbaarheid verholpen in Microsoft Office.",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "De kwetsbaarheid bevindt zich in de wijze waarop Microsoft Office omgaat met onbetrouwbare invoer, wat aanvallers in staat stelt om beveiligingsfuncties lokaal te omzeilen. Dit kan de integriteit van beveiligingsbeslissingen die door de software worden genomen, be\u00efnvloeden. De afhankelijkheid van onbetrouwbare invoer cre\u00ebert een pad voor potenti\u00eble exploitatie, wat kan leiden tot ongeautoriseerde toegang of acties binnen de getroffen systemen.\n\nVoor succesvol misbruik moet de kwaadwillende lokale toegang tot het kwetsbare systeem hebben. Dit kan ook mogelijk worden verwezenlijkt door het slachtoffer te misleiden een malafide document te openen.\n\nMicrosoft geeft aan op de hoogte te zijn dat exploitcode gedeeld wordt. De exploitcode is (nog) niet publiek beschikbaar. Het Amerikaanse CISA heeft de kwetsbaarheid op de Known Exploited Vulnerabilities-lijst geplaatst, wat inhoudt dat misbruik van de kwetsbaarheid is bevestigd bij een Amerikaanse Federale overheids-organisatie.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Microsoft heeft updates uitgebracht om de kwetsbaarheid te verhelpen voor Office 2021. Voor Office 2016 en 2019 zijn (nog) geen updates beschikbaar, maar deze worden zeer spoedig verwacht. Wel zijn er mitigerende maatregelen beschikbaar om het risico van misbruik zoveel mogelijk te beperken. Zie bijgevoegde referenties voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Reliance on Untrusted Inputs in a Security Decision",
        "title": "CWE-807"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509"
      }
    ],
    "title": "ZeroDay kwetsbaarheid verholpen in Microsoft Office",
    "tracking": {
      "current_release_date": "2026-01-27T07:27:52.867415Z",
      "generator": {
        "date": "2025-08-04T16:30:00Z",
        "engine": {
          "name": "V.A.",
          "version": "1.3"
        }
      },
      "id": "NCSC-2026-0039",
      "initial_release_date": "2026-01-27T07:27:52.867415Z",
      "revision_history": [
        {
          "date": "2026-01-27T07:27:52.867415Z",
          "number": "1.0.0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-1"
                }
              }
            ],
            "category": "product_name",
            "name": "Microsoft 365 Apps for Enterprise"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-2"
                }
              }
            ],
            "category": "product_name",
            "name": "Microsoft 365 Apps for Enterprise for 32-bit Systems"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-3"
                }
              }
            ],
            "category": "product_name",
            "name": "Microsoft 365 Apps for Enterprise for 64-bit Systems"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-4"
                }
              }
            ],
            "category": "product_name",
            "name": "Microsoft Office 2016"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-5"
                }
              }
            ],
            "category": "product_name",
            "name": "Microsoft Office 2016 (32-bit edition)"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-6"
                }
              }
            ],
            "category": "product_name",
            "name": "Microsoft Office 2016 (64-bit edition)"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-7"
                }
              }
            ],
            "category": "product_name",
            "name": "Microsoft Office 2019"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-8"
                }
              }
            ],
            "category": "product_name",
            "name": "Microsoft Office 2019 for 32-bit editions"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-9"
                }
              }
            ],
            "category": "product_name",
            "name": "Microsoft Office 2019 for 64-bit editions"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-10"
                }
              }
            ],
            "category": "product_name",
            "name": "Microsoft Office LTSC 2021"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-11"
                }
              }
            ],
            "category": "product_name",
            "name": "Microsoft Office LTSC 2021 for 32-bit editions"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-12"
                }
              }
            ],
            "category": "product_name",
            "name": "Microsoft Office LTSC 2021 for 64-bit editions"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-13"
                }
              }
            ],
            "category": "product_name",
            "name": "Microsoft Office LTSC 2024"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-14"
                }
              }
            ],
            "category": "product_name",
            "name": "Microsoft Office LTSC 2024 for 32-bit editions"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-15"
                }
              }
            ],
            "category": "product_name",
            "name": "Microsoft Office LTSC 2024 for 64-bit editions"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-16"
                }
              }
            ],
            "category": "product_name",
            "name": "Office"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-21509",
      "cwe": {
        "id": "CWE-807",
        "name": "Reliance on Untrusted Inputs in a Security Decision"
      },
      "notes": [
        {
          "category": "other",
          "text": "Reliance on Untrusted Inputs in a Security Decision",
          "title": "CWE-807"
        },
        {
          "category": "description",
          "text": "Microsoft Office has a vulnerability that allows unauthorized attackers to locally bypass security features by exploiting untrusted inputs in security decisions.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6",
          "CSAFPID-7",
          "CSAFPID-8",
          "CSAFPID-9",
          "CSAFPID-10",
          "CSAFPID-11",
          "CSAFPID-12",
          "CSAFPID-13",
          "CSAFPID-14",
          "CSAFPID-15",
          "CSAFPID-16"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-21509 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-21509.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6",
            "CSAFPID-7",
            "CSAFPID-8",
            "CSAFPID-9",
            "CSAFPID-10",
            "CSAFPID-11",
            "CSAFPID-12",
            "CSAFPID-13",
            "CSAFPID-14",
            "CSAFPID-15",
            "CSAFPID-16"
          ]
        }
      ],
      "title": "CVE-2026-21509"
    }
  ]
}

GHSA-CH84-H92G-MW93

Vulnerability from github – Published: 2026-01-26 18:31 – Updated: 2026-01-26 21:30

Details

Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.

Severity ?

7.8 (High)


                  
                    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-21509"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-807"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-26T18:16:38Z",
    "severity": "HIGH"
  },
  "details": "Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.",
  "id": "GHSA-ch84-h92g-mw93",
  "modified": "2026-01-26T21:30:36Z",
  "published": "2026-01-26T18:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21509"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21509"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-21509 (GCVE-0-2026-21509)

CISA Known Exploited Vulnerability

Data from the CISA Known Exploited Vulnerabilities Catalog

MSRC_CVE-2026-21509

FKIE_CVE-2026-21509

NCSC-2026-0039

GHSA-CH84-H92G-MW93

Tags

Sightings

Nomenclature