⚠ Actively exploited
Added to CISA KEV on 2026-02-10. Federal agencies required to patch by 2026-03-03. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2026-21514

CWE-80713 documents9 sources
Severity
7.8HIGH
EPSS
4.2%
top 11.20%
CISA KEV
KEV
Added 2026-02-10
Due 2026-03-03
Exploit
No known exploits
Affected products
6
Microsoft Microsoft 365 Apps FOR EnterpriseMicrosoft Microsoft Office Ltsc 2021Microsoft Microsoft Office Ltsc 2024+3 more
Timeline
PublishedFeb 10
KEV addedFeb 10
KEV dueMar 3
Latest updateMar 17
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

Reliance on untrusted inputs in a security decision in Microsoft Office Word allows an unauthorized attacker to bypass a security feature locally.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages6 packages

CVEListV5microsoft/microsoft_office_ltsc_202116.0.1https://aka.ms/OfficeSecurityReleases
CVEListV5microsoft/microsoft_office_ltsc_202416.0.0https://aka.ms/OfficeSecurityReleases
CVEListV5microsoft/microsoft_office_ltsc_for_mac_202116.0.116.106.26020821
CVEListV5microsoft/microsoft_office_ltsc_for_mac_202416.0.016.106.26020821

🔴Vulnerability Details

3
GHSA
GHSA-cjj3-m869-748g: Reliance on untrusted inputs in a security decision in Microsoft Office Word allows an unauthorized attacker to bypass a security feature locally2026-02-10
CVEList
Microsoft Word Security Feature Bypass Vulnerability2026-02-10
VulnCheck
Microsoft Office Word Reliance on Untrusted Inputs in a Security Decision Vulnerability2026

📋Vendor Advisories

2
CISA
Microsoft Office Word Reliance on Untrusted Inputs in a Security Decision Vulnerability2026-02-10
Microsoft
Microsoft Word Security Feature Bypass Vulnerability2026-02-10

🕵️Threat Intelligence

4
Tenable
CVE-2026-21514 FAQ: OLE bypass N-Day in Microsoft Word | Tenable®2026-03-17
Krebs
Patch Tuesday, February 2026 Edition2026-02-10
Tenable
Marcus Ranum PaulDotCom Interview on Penetration Testing2008-12-14
Wiz
CVE-2026-21514 Impact, Exploitability, and Mitigation Steps | Wiz