IRONSMITHINTEL
HIGHCVSS7.8
|
Actively Exploited
|CISA KEV|CVE-2026-21514|Auth: none — unauthenticated|Reboot: required|Manual only

Microsoft Office < 16.106.26020821

Microsoft Office Word contains a reliance on untrusted inputs in a security decision vulnerability that could allow an authorized attacker to elevate privileges locally.

Published Feb 10, 2026 · Updated May 16, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

A local attacker, without authentication, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. Federal agencies are required to remediate by 2026-03-03 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Software Vulnerability (CWE-807) (CWE-807) vulnerability in Microsoft Office. Reliance on untrusted inputs in a security decision in Microsoft Office Word allows an unauthorized attacker to bypass a security feature locally. Exploitation requires local access, low attack complexity, no authentication required, and user interaction required.

Am I affected?Quick check

Probably yes if any of these apply:

IT Security
Running 365 apps: -; office long term servicing channel: 2021, 2024
Fixed in16.106.26020821, https://aka.ms/OfficeSecurityReleases
Real-world incidentsWhat we've seen

CISA added this CVE to the Known Exploited Vulnerabilities catalog on 2026-02-10 based on evidence of active exploitation in the wild. Federal agencies required to remediate by 2026-03-03.

How to patch

Manual remediation steps

Apply the Microsoft Security Update

This vulnerability is fixed by Microsoft's official security update.

Affected Products

    1
    Microsoft 365 Apps for Enterprise for 32-bit Systems
    1
    Microsoft 365 Apps for Enterprise for 64-bit Systems
    1
    Microsoft Office LTSC 2021 for 32-bit editions
    1
    Microsoft Office LTSC 2021 for 64-bit editions
    1
    Microsoft Office LTSC 2024 for 32-bit editions
    1
    Microsoft Office LTSC 2024 for 64-bit editions
    1
    Microsoft Office LTSC for Mac 2021
    1
    Microsoft Office LTSC for Mac 2024

Installation Methods

Windows Update (recommended)

1
Open Settings → Windows Update → Check for updates
2
The security update will be offered if applicable to your system
3
Restart when prompted

Microsoft Download Links

    1
    https://go.microsoft.com/fwlink/p/?linkid=831049

Verification

Confirm the update is installed:

Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10

References

    1
    Microsoft Security Response Center: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21514
    1
    NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2026-21514
    1
    CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21514

Discovery Credit

Anonymous, Microsoft Threat Intelligence Center (MSTIC), Microsoft Security Response Center (MSRC), and Office Product Group Security Team, Google Threat Intelligence Group

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2026-21514MSRC AdvisoryNVD