Microsoft Office 2016 to 2024 and Office 365 apps contain a zero-day vulnerability (CVE-2026-21509) that is being actively exploited in attacks. On January 26, 2026, Microsoft published initial information (also about mitigations) and emergency updates for Microsoft Office.
Office 2021 upward has been patched server-side. For Office 2016 is an emergency update available, and Office 2019 got a C2R update for a new build. I've discussed the details in this article [use the translation option in the side bar of my German blog to read the article in English or other languages].
