CVE-2026-21514
Description
CVE-2026-21514 is a high-severity security bypass in Microsoft Office Word (CVSS 7.8) that is actively exploited in the wild.
CPE
| Product | Version Start | Version End (excl.) | Status |
|---|---|---|---|
| 365_apps | - | - | vulnerable |
| 365_apps | - | - | vulnerable |
| office_long_term_servicing_channel | 2021 | 2021 | vulnerable |
| office_long_term_servicing_channel | 2021 | 2021 | vulnerable |
| office_long_term_servicing_channel | 2021 | 2021 | vulnerable |
| office_long_term_servicing_channel | 2024 | 2024 | vulnerable |
| office_long_term_servicing_channel | 2024 | 2024 | vulnerable |
| office_long_term_servicing_channel | 2024 | 2024 | vulnerable |
Related weakness (CWE)
Remediation plan
Apply official patches
Visit the Microsoft Security Update Guide for CVE-2026-21514 to download and install the specific security updates for your version of Microsoft Word and Office.
Update affected systems
Ensure all installations of Microsoft 365 Apps, Office LTSC 2021, and Office LTSC 2024 are updated to the latest builds provided by Microsoft to eliminate the bypass flaw.
Restrict access
Implement strict File Block settings and ensure Protected View is enabled for documents originating from the internet or untrusted locations to mitigate the local attack vector.
Monitor for exploitation
Use EDR tools to monitor for unusual child processes spawned by Winword.exe or attempts to modify sensitive registry keys associated with Office security settings.
Detection Guidance
Detection should focus on identifying unusual behavior within Microsoft Word. Monitor for instances where Word bypasses 'Protected View' or 'Mark of the Web' (MOTW) security controls. Security teams should look for suspicious child processes (e.g., cmd.exe, powershell.exe) originating from Word, and review system logs for CWE-807 patterns where security decisions are made based on user-controlled file paths or environment variables.