Microsoft Office vulnerability (CVE-2026-21509) in active exploitation

On January 26, 2026 Microsoft released an out-of-band update for CVE-2026-21509 (CVSS 7.8), an OLE security bypass affecting Microsoft Office 2016, 2019, LTSC 2021/2024 and Microsoft 365 Apps that is being actively exploited; exploitation requires a user to open a specially crafted Office file. Organizations are advised to identify vulnerable instances and apply updates or mitigations immediately; security vendors (including Sophos) have published detections and protections to help detect and block exploitation attempts and post-exploit payloads.