Fix CVE-2026-21509: Office OLE Security Bypass | Patch and Registry Fix

Microsoft recently identified a critical vulnerability, CVE-2026-21509, affecting several versions of Microsoft Office. This bypass allows attackers to get around Object Linking and Embedding (OLE) mitigations. Since this is actively being exploited and sits in the CISA Known Exploited Vulnerabilities (KEV) catalog, IT admins and Office users need to act now.

The Problem: Silent OLE Mitigation Bypass

The vulnerability exists because Microsoft Office relies on untrusted inputs for security decisions. Opening a malicious Office file allows an attacker to bypass security layers meant to block embedded objects. This flaw triggers no warning or error code, so users won't know they are under attack.

No specific user-facing error message. The vulnerability silently bypasses OLE mitigations when a user opens a malicious Office file.

If you manage enterprise environments, you might also be troubleshooting unrelated issues like how to fix Outlook error 0xc0000409 or general Windows fixes.

Affected Versions

• Microsoft 365 Apps for Enterprise
• Microsoft Office LTSC 2021 and 2024
• Microsoft Office 2019 (32-bit and 64-bit)
• Microsoft Office 2016 (32-bit and 64-bit)

How to Fix CVE-2026-21509

Fixing this depends on your Office version. Install the security update released on January 26, 2026, right away.

Solution 1: Microsoft 365, Office 2021, and Office 2024

For newer versions of Office, Microsoft deployed a service-side fix.

1. Save all work.
2. Close all Office applications (Word, Excel, Outlook, PowerPoint).
3. Restart the applications.
4. Go to File > Account > Update Options > Update Now to get the latest build.

Solution 2: Registry Workaround for Office 2016 and 2019

If you use Office 2016 or 2019 and cannot update yet, apply a registry change to enforce COM compatibility flags.

Manual Registry Steps:

1. Press Win + R, type regedit, and press Enter.
2. Back up your registry by selecting File > Export.
3. Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility
4. Right-click COM Compatibility, select New > Key, and name it using the CLSID from the Microsoft security advisory for the object being blocked.
5. Inside the new key, right-click and select New > DWORD (32-bit) Value.
6. Name the value Compatibility Flags.
7. Set the Value data to 400 (Hexadecimal).
8. Restart Office.

Solution 3: Automated Fix via PowerShell

For IT professionals managing multiple endpoints, PowerShell scripts work best for the registry fix.

# Define the registry path

$regPath = "HKLM:\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\{Example-CLSID-Key}"

# Create the key if it does not exist

if (!(Test-Path $regPath)) {
    New-Item -Path $regPath -Force
}

# Set the Compatibility Flags to 400

New-ItemProperty -Path $regPath -Name "Compatibility Flags" -Value 1024 -PropertyType DWORD -Force

Note: Replace {Example-CLSID-Key} with the relevant Class ID from the MSRC documentation for the objects you want to block.

Summary of Actions

1. Apply Updates: Install the January 26, 2026 patch now.
2. Restart Apps: Force a restart of all Office processes to start protections.
3. User Education: Tell users to avoid unsolicited attachments, as this attack requires them to open a file.

For help with deployments or security settings, contact us.

Need help? Contact our team.

Related reading:

• https://rain-city.tech/blog/tag/microsoft-365/
• https://rain-city.tech/blog/tag/windows/