Microsoft Word 0-Day Vulnerability Actively Exploited
On February 10, 2026, a critical zero-day vulnerability in Microsoft Word, identified as CVE-2026-21514, was disclosed. Attackers can exploit this flaw to bypass essential security protections. This...
On February 10, 2026, a critical zero-day vulnerability in Microsoft Word, identified as CVE-2026-21514, was disclosed. Attackers can exploit this flaw to bypass essential security protections.
This flaw has been actively exploited in the wild and carries a CVSS 3.1 base score of 7.8, with a temporal score of 7.2.
CVE-2026-21514 exploits a weakness in how Microsoft Word handles security decisions based on untrusted inputs, categorized as CWE-807.
The vulnerability specifically bypasses Object Linking and Embedding (OLE) mitigations implemented by Microsoft to protect users from malicious COM/OLE controls.
These OLE controls enable documents to embed and interact with external objects. However, improper validation allows attackers to circumvent protective measures.
| Metric | Detail |
|---|---|
| CVE ID | CVE-2026-21514 |
| Vulnerability Type | Security Feature Bypass |
| Max Severity | Important |
| Weakness | CWE-807: Reliance on Untrusted Inputs in a Security Decision |
| CVSS v3.1 Score | 7.8 |
| Vector String | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C |
Attack Vector and Exploitation Mechanics
The attack vector is classified as “Local” (AV:L) with low attack complexity (AC:L), requiring no privileges (PR: N) but necessitating user interaction (UI: R).
Attackers must craft a specially designed Office document and convince victims to open it through phishing emails or other social engineering methods.
The exploit scope is unchanged (S: U), meaning the vulnerable component doesn’t affect resources beyond its security scope.
Unlike traditional macro-based attacks that trigger security warnings, CVE-2026-21514 bypasses these protections entirely.
When users open malicious documents, the exploit executes without displaying “Enable Content” prompts or Protected View warnings that typically alert users to potential threats.
The exploit code maturity is rated as “Functional” (E: F), indicating working exploit code exists and has been deployed in real-world attacks.
The vulnerability affects multiple Office versions, including Microsoft 365 Apps for Enterprise (32-bit and 64-bit), Office LTSC 2021 and 2024 editions, and Office LTSC for Mac 2021 and 2024.
Microsoft released official fixes through Click-to-Run updates for Windows versions and version 16.106.26020821 for Mac systems.
CISA mandated federal agencies patch this vulnerability by March 3, 2026, reflecting its severity.
Organizations should immediately deploy available security updates, implement email filtering to block suspicious Office documents, and educate users about opening unsolicited attachments.
Consider restricting OLE object execution through Group Policy settings until patches are applied.
Security researchers from Google Threat Intelligence Group and Microsoft’s internal security teams collaborated to identify and remediate this threat.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.