Microsoft scrambled to patch six actively exploited Office vulnerabilities on January 13, 2026, after attackers weaponized malicious Word and Excel documents to breach corporate networks. The emergency update tackled 115 flaws total, including CVE-2026-21509, a zero-day bypassing OLE protections, and multiple remote code execution bugs involving pointer manipulation and memory corruption. Office 2016 through 2024 versions required immediate updates, as Microsoft 365 users received automatic server-side fixes. Security teams should activate Protected View and monitor for suspicious document activity—because understanding the full scope of these threats requires examining the technical details behind each exploit.
Microsoft has patched a slew of critical Office vulnerabilities in its January 2026 Patch Tuesday update, closing the door on six remote code execution flaws that attackers were actively exploiting in the wild. The fixes arrived on January 13, 2026, addressing a total of 114-115 vulnerabilities, with Office taking centre stage as threat actors wielded malicious documents like digital weapons against unsuspecting users.
Microsoft's January 2026 Patch Tuesday sealed six actively exploited Office RCE flaws among 114 total vulnerabilities patched on January 13.
The exploitation pattern should sound familiar to anyone who has checked their email this decade. Attackers craft poisoned Word or Excel files, send them via email, and hope someone clicks. Simple, yet devastatingly effective. CVE-2026-21509, a security feature bypass zero-day, led the pack of actively exploited vulnerabilities, managing to sidestep OLE security protections that were supposed to keep users safe.
The technical details read like a greatest hits of memory corruption vulnerabilities. CVE-2026-20948 involves an untrusted pointer dereference in Word's document processing engine. CVE-2026-20944 exploits an out-of-bounds read condition that hands attackers remote code execution on a silver platter.
Then there are the use-after-free twins, CVE-2026-20952 and CVE-2026-20953, where Office's memory management stumbles badly enough to allow malicious code to slip through. Excel wasn't spared either, with CVE-2026-20955 leveraging pointer manipulation and CVE-2026-20957 exploiting an integer underflow condition.
Microsoft's patch deployment varies by product version. Office 2016 received security update KB5002826, whereas Office Online Server got KB5002824 on the same day. Users running Office 2021 or Microsoft 365 Apps benefit from automatic service-side fixes that come into effect after an application restart.
The affected product list spans Office 2016, 2019, LTSC 2021, LTSC 2024, and various Click-to-Run configurations.
Detection isn't rocket science, but it requires vigilance. Watch for suspicious Word documents arriving from unfamiliar sources, unexpected crashes in WINWORD.EXE, or anomalous child processes spawning from Office applications. Memory access violations appearing in Windows Event Viewer offer another red flag.
One small mercy: the Preview Pane doesn't trigger these exploits, so your habit of skimming attachments without opening them might actually save you.
Mitigation steps extend beyond just patching. Activate Protected View for documents originating from the internet or untrusted sources. Configure File Block settings to quarantine suspicious files before they execute.
Organisations running Office 2016 or 2019 should implement registry changes to block COM and OLE controls. The vulnerability exploits untrusted inputs in security decisions, allowing attackers to bypass critical protections. Email attachment policies need enforcement, scanning and quarantining files before they reach inboxes. For high-risk environments, running Office in sandboxed configurations adds another defensive layer. The severity rating reflects the potential for complete system compromise once attackers achieve code execution with current user privileges.
The January 2026 updates prove once again that Office remains a prime target for exploitation. Your move is straightforward: patch immediately, lock down settings, and treat email attachments like they're trying to ruin your week. Since some of them absolutely are.
Final Thoughts
Microsoft's quick action in addressing a critical Office flaw underlines the urgency of tackling zero-day vulnerabilities, which can spread rapidly before patches are made available. Organizations with unpatched Office installations are essentially leaving their systems vulnerable. To mitigate these risks, it's essential to enable automatic updates, educate employees about suspicious documents, and respond promptly to security bulletins.
At Brisbane City Computer Repairs, our team is here to help you stay secure by ensuring your systems are up-to-date and educating your staff on cybersecurity best practices. Don't wait until it's too late—click on our contact us page to get in touch and safeguard your organization today!