Microsoft Office Word OLE Security Feature Bypass

Executive Summary

Microsoft has disclosed an actively exploited zero-day vulnerability in Microsoft Word that bypasses Object Linking and Embedding (OLE) security protections. Tracked as CVE-2026-21514, the flaw stems from Word's reliance on untrusted inputs when making internal security decisions (CWE-807), allowing crafted Office documents to execute malicious OLE objects without triggering the standard "Enable Content" prompts or Protected View warnings users would normally see. CISA added this vulnerability to its Known Exploited Vulnerabilities catalog on February 10, 2026, with a federal agency remediation deadline of March 3, 2026. The vulnerability carries a CVSS 3.1 base score of 7.8.

Attribute	Value
CVE ID	CVE-2026-21514
Severity	High
CVSS v3.1 Score	7.8
CVSS Vector	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE	CWE-807 — Reliance on Untrusted Inputs in a Security Decision
Vendor	Microsoft
Product	Microsoft Office Word
Patch Date	February 10, 2026 (Patch Tuesday)
CISA KEV Added	February 10, 2026
CISA Remediation Due	March 3, 2026
Exploitation Status	Actively exploited in the wild (zero-day at time of patch)

Technical Details

Root Cause

CVE-2026-21514 is a logic vulnerability, not a memory corruption flaw. Microsoft Word makes security decisions about whether to allow execution of embedded OLE objects by evaluating properties within the document's internal XML structure. By manipulating how the relationship metadata and content-type declarations inside a specially crafted .docx (OOXML) file describe an embedded object, an attacker can convince Word that the malicious OLE object is a trusted, safe component.

Because the exploit relies on no memory grooming, no return-oriented programming (ROP) chains, and no heap spraying, it is highly reliable across all affected versions and produces no signs of exploitation in memory forensics.

Exploitation Mechanics

A typical exploitation chain proceeds as follows:

1. Attacker crafts a malicious .docx file with an embedded OLE object
2. Internal XML is manipulated: relationship declarations are spoofed
   to present the object as trusted content
3. Victim opens the document (via email, web download, etc.)
4. Word evaluates the spoofed trust metadata and skips OLE warnings
5. Embedded payload executes silently — no "Enable Content" prompt
6. Mark-of-the-Web (MotW) protections are bypassed
7. Attacker-controlled code runs in the user's context

Unlike traditional macro-based document attacks that display a yellow warning bar, this exploit executes without any visible security alert, making it particularly effective in phishing campaigns and targeted intrusions.

Attack Vector Notes

Delivery vector: Phishing email attachment, malicious download link, or SharePoint/OneDrive document share
User interaction required: Victim must open the document (single click)
Privilege escalation: Payload runs in the context of the logged-in user; combined with a local privilege escalation, full system compromise is possible
Exploit maturity: "Functional" — working exploit code confirmed deployed in real-world attacks prior to patch release

Affected Versions

Product	Affected Versions	Fixed Version / Update Channel
Microsoft 365 Apps for Enterprise (x86)	All builds prior to Feb 10, 2026 Click-to-Run	KB5002700 (Current Channel)
Microsoft 365 Apps for Enterprise (x64)	All builds prior to Feb 10, 2026 Click-to-Run	KB5002700 (Current Channel)
Office LTSC 2021 (Windows)	All builds prior to Feb 10, 2026	KB5002700
Office LTSC 2024 (Windows)	All builds prior to Feb 10, 2026	KB5002700
Office LTSC for Mac 2021	< 16.106.26020821	16.106.26020821
Office LTSC for Mac 2024	< 16.106.26020821	16.106.26020821
Microsoft Word 2016	Potentially affected	Apply all February 2026 updates
Microsoft Word 2019	Potentially affected	Apply all February 2026 updates

Indicators of Compromise

Suspicious Document Characteristics

Malicious documents exploiting CVE-2026-21514 may exhibit the following traits detectable via static analysis or EDR telemetry:

.docx files containing OLE objects with unusual ProgID or ClassID values in word/embeddings/
Document relationship files (_rels/*.rels) with atypical content-type declarations
Embedded objects referencing external URIs or UNC paths at open time
Spawning of unexpected child processes from WINWORD.EXE (e.g., cmd.exe, powershell.exe, wscript.exe, mshta.exe)

EDR / Process Telemetry Indicators

Parent: WINWORD.EXE
Child processes to flag:
  - cmd.exe / powershell.exe / pwsh.exe
  - wscript.exe / cscript.exe
  - mshta.exe
  - regsvr32.exe
  - rundll32.exe
  - certutil.exe (especially with -decode or -urlcache flags)

Network Indicators

Outbound HTTP/HTTPS connections initiated by WINWORD.EXE to non-Microsoft domains
DNS queries to newly registered domains immediately after document opens
UNC path resolution attempts (SMB port 445) from workstations upon document open

Remediation

Apply the February 2026 Patch Tuesday updates immediately. For Microsoft 365 Click-to-Run, verify the update channel and confirm the build version is at or above the February 10, 2026 baseline via File > Account > About Word.
Verify Office for Mac is updated to version 16.106.26020821 or later. Navigate to Help > Check for Updates in any Office application.
Enable Attack Surface Reduction (ASR) rules in Microsoft Defender for Endpoint. The following rules are relevant:
- Block Office applications from creating child processes (Rule GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A)
- Block Office applications from injecting code into other processes
- Block untrusted and unsigned processes that run from USB
Confirm Protected View is enabled for documents received from the internet and Outlook attachments. Verify via File > Options > Trust Center > Trust Center Settings > Protected View.
Block macro execution via Group Policy if macros are not required: User Configuration > Administrative Templates > Microsoft Word > Word Options > Security > Trust Center > Block macros from running in Office files from the Internet.
Review and restrict email gateway policies to quarantine or strip Office documents from unknown external senders until the patch is confirmed deployed organisation-wide.
Hunt for exploitation indicators in EDR telemetry: search for WINWORD.EXE spawning shells or scripting engines in the days prior to patch deployment.

References

Executive Summary

Attribute	Value
CVE ID	CVE-2026-21514
Severity	High
CVSS v3.1 Score	7.8
CVSS Vector	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE	CWE-807 — Reliance on Untrusted Inputs in a Security Decision
Vendor	Microsoft
Product	Microsoft Office Word
Patch Date	February 10, 2026 (Patch Tuesday)
CISA KEV Added	February 10, 2026
CISA Remediation Due	March 3, 2026
Exploitation Status	Actively exploited in the wild (zero-day at time of patch)

Technical Details

Root Cause

Exploitation Mechanics

A typical exploitation chain proceeds as follows:

1. Attacker crafts a malicious .docx file with an embedded OLE object
2. Internal XML is manipulated: relationship declarations are spoofed
   to present the object as trusted content
3. Victim opens the document (via email, web download, etc.)
4. Word evaluates the spoofed trust metadata and skips OLE warnings
5. Embedded payload executes silently — no "Enable Content" prompt
6. Mark-of-the-Web (MotW) protections are bypassed
7. Attacker-controlled code runs in the user's context

Attack Vector Notes

Delivery vector: Phishing email attachment, malicious download link, or SharePoint/OneDrive document share
User interaction required: Victim must open the document (single click)
Privilege escalation: Payload runs in the context of the logged-in user; combined with a local privilege escalation, full system compromise is possible
Exploit maturity: "Functional" — working exploit code confirmed deployed in real-world attacks prior to patch release

Affected Versions

Product	Affected Versions	Fixed Version / Update Channel
Microsoft 365 Apps for Enterprise (x86)	All builds prior to Feb 10, 2026 Click-to-Run	KB5002700 (Current Channel)
Microsoft 365 Apps for Enterprise (x64)	All builds prior to Feb 10, 2026 Click-to-Run	KB5002700 (Current Channel)
Office LTSC 2021 (Windows)	All builds prior to Feb 10, 2026	KB5002700
Office LTSC 2024 (Windows)	All builds prior to Feb 10, 2026	KB5002700
Office LTSC for Mac 2021	< 16.106.26020821	16.106.26020821
Office LTSC for Mac 2024	< 16.106.26020821	16.106.26020821
Microsoft Word 2016	Potentially affected	Apply all February 2026 updates
Microsoft Word 2019	Potentially affected	Apply all February 2026 updates

Indicators of Compromise

Suspicious Document Characteristics

Malicious documents exploiting CVE-2026-21514 may exhibit the following traits detectable via static analysis or EDR telemetry:

.docx files containing OLE objects with unusual ProgID or ClassID values in word/embeddings/
Document relationship files (_rels/*.rels) with atypical content-type declarations
Embedded objects referencing external URIs or UNC paths at open time
Spawning of unexpected child processes from WINWORD.EXE (e.g., cmd.exe, powershell.exe, wscript.exe, mshta.exe)

EDR / Process Telemetry Indicators

Parent: WINWORD.EXE
Child processes to flag:
  - cmd.exe / powershell.exe / pwsh.exe
  - wscript.exe / cscript.exe
  - mshta.exe
  - regsvr32.exe
  - rundll32.exe
  - certutil.exe (especially with -decode or -urlcache flags)

Network Indicators

Outbound HTTP/HTTPS connections initiated by WINWORD.EXE to non-Microsoft domains
DNS queries to newly registered domains immediately after document opens
UNC path resolution attempts (SMB port 445) from workstations upon document open

Remediation

Apply the February 2026 Patch Tuesday updates immediately. For Microsoft 365 Click-to-Run, verify the update channel and confirm the build version is at or above the February 10, 2026 baseline via File > Account > About Word.
Verify Office for Mac is updated to version 16.106.26020821 or later. Navigate to Help > Check for Updates in any Office application.
Enable Attack Surface Reduction (ASR) rules in Microsoft Defender for Endpoint. The following rules are relevant:
- Block Office applications from creating child processes (Rule GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A)
- Block Office applications from injecting code into other processes
- Block untrusted and unsigned processes that run from USB
Confirm Protected View is enabled for documents received from the internet and Outlook attachments. Verify via File > Options > Trust Center > Trust Center Settings > Protected View.
Block macro execution via Group Policy if macros are not required: User Configuration > Administrative Templates > Microsoft Word > Word Options > Security > Trust Center > Block macros from running in Office files from the Internet.
Review and restrict email gateway policies to quarantine or strip Office documents from unknown external senders until the patch is confirmed deployed organisation-wide.
Hunt for exploitation indicators in EDR telemetry: search for WINWORD.EXE spawning shells or scripting engines in the days prior to patch deployment.

Microsoft Office Word OLE Security Feature Bypass

Affected Products

Executive Summary

Technical Details

Root Cause

Exploitation Mechanics

Attack Vector Notes

Affected Versions

Indicators of Compromise

Suspicious Document Characteristics

EDR / Process Telemetry Indicators

Network Indicators

Remediation

References

Microsoft MSHTML Framework Security Feature Bypass

BeyondTrust Remote Support and PRA Critical RCE Under

Microsoft February 2026 Patch Tuesday Fixes Six Actively

Microsoft Office Word OLE Security Feature Bypass

Affected Products

Executive Summary

Technical Details

Root Cause

Exploitation Mechanics

Attack Vector Notes

Affected Versions

Indicators of Compromise

Suspicious Document Characteristics

EDR / Process Telemetry Indicators

Network Indicators

Remediation

References

Microsoft MSHTML Framework Security Feature Bypass

BeyondTrust Remote Support and PRA Critical RCE Under

Microsoft February 2026 Patch Tuesday Fixes Six Actively