CVE-2026-21509: Actively Exploited Microsoft Office Zero-Day Forces Emergency Patch

This report details CVE-2026-21509, a Microsoft Office security-feature-bypass zero-day actively exploited in the wild; Microsoft issued an out-of-band update and the vulnerability was added to CISA's KEV catalog, requiring federal agencies to patch. Affected products include Office 2016, 2019, LTSC 2021/2024 and Microsoft 365 Apps for Enterprise; mitigations include an automatic service-side fix for Office 2021+, updates or a registry-based workaround for older versions.