Description
Reliance on untrusted inputs in a security decision in Microsoft Office Word allows an unauthorized attacker to bypass a security feature locally.
Published: 2026-02-10
Score: 7.8 High
EPSS: 1.5% Low
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in Microsoft Word where untrusted input is used in a security decision, allowing an unauthorized local user to bypass a built‑in security feature. The bypass could potentially enable the execution of content that is normally blocked, thereby affecting confidentiality, integrity, or availability of the system. Based on the description, it is inferred that the payload could be used to trigger code or data that would otherwise be prevented by the security mechanism.

Affected Systems

The affected products are Microsoft 365 Apps for Enterprise, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, and the macOS editions Microsoft Office LTSC for Mac 2021 and Microsoft Office LTSC for Mac 2024. No specific version ranges are provided by the CNA; consequently, any installation of these suites is considered vulnerable until a patch is released.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity. An EPSS score of 2% denotes a low but non‑negligible likelihood of exploitation. The vulnerability is listed in the CISA KEV catalog, confirming active exploitation. The attacker must already have local access; there is no disclosed remote attack vector. The likely attack vector is local privilege compromise or a malicious local document.

Generated by OpenCVE AI on June 18, 2026 at 13:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Microsoft 365 Apps and all Office LTSC installations to the latest cumulative update that contains the fix for CVE‑2026‑21514.
  • If no patch is currently available, isolate affected systems, disable macros and enforce strict document access controls to reduce the risk of local bypass.
  • Continuously monitor security advisories and apply subsequent Office security rollups as they are released.

Generated by OpenCVE AI on June 18, 2026 at 13:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft office Long Term Servicing Channel
CPEs cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:macos:*:*
Vendors & Products Microsoft office Long Term Servicing Channel

Tue, 10 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 10 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-02-10T00:00:00+00:00', 'dueDate': '2026-03-03T00:00:00+00:00'}


Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description Reliance on untrusted inputs in a security decision in Microsoft Office Word allows an unauthorized attacker to bypass a security feature locally.
Title Microsoft Word Security Feature Bypass Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Weaknesses CWE-807
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C'}


Subscriptions

Microsoft 365 Apps Office 2021 Office 2024 Office Long Term Servicing Channel Office Macos 2021 Office Macos 2024
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-11T21:25:35.049Z

Reserved: 2025-12-30T18:10:54.845Z

Link: CVE-2026-21514

cve-icon Vulnrichment

Updated: 2026-02-10T18:24:47.129Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:33.803

Modified: 2026-06-17T10:18:45.733

Link: CVE-2026-21514

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T13:45:05Z

Weaknesses
  • CWE-807

    Reliance on Untrusted Inputs in a Security Decision