The February 2026 Patch Tuesday shipped a fix for CVE-2026-21514, a security feature bypass in Microsoft Word that attackers were already exploiting as a zero-day. On top of that, it had been publicly disclosed before any patch existed. Microsoft rates it “Important” and gives it a CVSS score of 7.8.
What the vulnerability is
The flaw lets an attacker get past the OLE (Object Linking and Embedding) mitigations that exist to protect against vulnerable COM/OLE controls, along with the Mark-of-the-Web (MotW) warnings. At the heart of it is improper validation of security decisions based on untrusted input (CWE-807): tamper with the internal XML structure of a crafted Word document and the application ends up treating a malicious OLE object as trustworthy.
So the content runs without showing the usual warnings, the “Enable Content” banner or the Protected View screen. A document that looks harmless becomes a way to deliver malware while the user sees nothing out of the ordinary.
Who is affected
It hits Microsoft Word installations within Microsoft 365 and Office, on both Windows and macOS. This is a client-side flaw and it needs user interaction. The usual scenario: the victim gets a malicious Office file (over email, messaging or a download) and opens it. There is no remote, silent exploitation with zero user action here, but that is also where the danger sits, because it defeats the safeguards that would normally warn the person.
Severity
At CVSS 7.8 it lands in high severity. Two things push the urgency up. Active exploitation in the wild was confirmed, and on top of that it was publicly disclosed before the patch, which gives opportunistic attackers more room to work. CISA added the flaw to its guidance and set a mitigation deadline of March 3, 2026 for federal agencies.
On its own it is a protection bypass rather than direct code execution with maximum privileges. But inside an attack chain it does the job of disabling the barriers between the user and attacker-controlled content, which makes it easier to drop malware and hold onto access.
Mitigation and patch
The fix is to apply the February 2026 security updates:
- On Windows, the fixes come through Microsoft 365 / Office Click-to-Run. Keep Office set to update automatically.
- On macOS, update to version 16.106.26020821 or later.
A few extra defensive steps: be wary of Office documents you did not expect, keep Protected View enabled, do not open attachments from senders you do not know, and apply policies that block macros and OLE objects in documents coming from the Internet.
The case is a reminder that Office protections are not infallible. OLE and MotW mitigations are one more layer, not a replacement for keeping everything patched and using common sense.
Source
- BleepingComputer: Microsoft February 2026 Patch Tuesday fixes 6 zero-days, 58 flaws
- NVD - NIST: CVE-2026-21514