By Howard Solomon
Publication Date: 2026-01-27 21:58:00
“It is important that organizations roll up this update quickly. Until it has been applied, filters on email gateways or endpoint protection signatures may help mitigate the threat.”
Fortunately the vulnerability, CVE-2026-21509, which has a CVSS score of 7.8, is fixed automatically in Office 2021 and up, however, admins should note that these applications need a restart for the patch to take effect. For Office 2016 and Office 2019, there’s a separate patch.
Jack Bicer, director of vulnerability research at Action1, said that for security teams and CISOs “the urgency is real: don’t wait, prioritize this update immediately, and ensure all Office applications are restarted so the protections take effect without delay.”
