CVE-2026-21514

What is Microsoft Office OLE?

Microsoft Office uses OLE (Object Linking and Embedding) to allow documents to contain embedded objects from other applications — spreadsheets, charts, executables, or remote data. When Office opens a document containing OLE objects, security prompts ("Enable Content", Protected View) are supposed to warn users before executing potentially dangerous embedded content. These prompts are the primary UI-level defense against malicious document-based attacks. Bypassing them allows attackers to execute payloads silently when a user simply opens a crafted document.

Overview

CVE-2026-21514 is a security feature bypass (CWE-807: Reliance on Untrusted Inputs in a Security Decision) in Microsoft Word's OLE handling — a closely related but distinct code path from CVE-2026-21509. Attackers craft a malicious .docx file that manipulates the document's internal XML structure to assert that a malicious OLE object is already trusted. When the document is opened, Word silently executes the embedded payload without displaying "Enable Content" or Protected View prompts. No macros are required. Iranian state-sponsored group MuddyWater exploited this as a zero-day in Operation Olalampo, deploying six distinct malware families against targets in the Middle East and North Africa.

Affected Versions

Tenable estimated approximately 14 million affected assets globally at the time of disclosure.

Technical Details

The vulnerability (CWE-807) is in Word's OLE object trust evaluation. OOXML-format .docx files use XML to describe embedded objects and their trust state. The OLE handler reads trust metadata from within this XML structure. By inserting crafted trust assertions into the document XML, an attacker causes Word to treat a malicious OLE object as pre-approved, bypassing the "Enable Content" user prompt and Protected View checks entirely.

Exploitation executes code at the privilege level of the logged-in user — no elevation is needed beyond the initial document open. This is the second OLE bypass in this Patch Tuesday cycle (alongside CVE-2026-21509, which Microsoft patched out-of-band on January 26). The two vulnerabilities exploit different code paths in the OLE handler, indicating the attack surface was more broadly vulnerable than a single fix addressed.

Discovery

Credited to an anonymous researcher, Google Threat Intelligence Group (GTIG), Microsoft Threat Intelligence Center (MSTIC), MSRC, and the Office Product Group Security Team.

Exploitation Context

The Iranian state-sponsored threat actor MuddyWater (also tracked as MERCURY, Static Kitten) exploited CVE-2026-21514 as a zero-day from late January through early March 2026 in Operation Olalampo. The campaign deployed six distinct malware families: CHAR (Rust-based Telegram C2 backdoor), GhostBackDoor, GhostFetch, HTTP_VIP, Dindoor (Deno JavaScript backdoor), and Fakeset (Python backdoor). Primary targets were in the Middle East and North Africa (MENA) region. Some campaign activity was disguised as Chaos ransomware to obscure the espionage motivation. CISA added CVE-2026-21514 to the KEV catalog on Patch Tuesday.

Remediation

1. Apply the February 2026 Patch Tuesday update to all Office installations immediately.
2. Mac users: update to Office for Mac version 16.106.26020821 or later via Microsoft AutoUpdate.
3. Disable OLE object execution via Group Policy to prevent silent OLE payload execution even on patched systems (defense in depth).
4. Enable Protected View for all documents received from the internet or email — enforced via Group Policy, not user preference.
5. Block WebDAV and UNC path connections from Office applications at the perimeter, as OLE payloads may be fetched remotely.
6. Deploy endpoint detection for the MuddyWater malware families: CHAR, GhostBackDoor, GhostFetch, HTTP_VIP, Dindoor, and Fakeset — update signatures and behavioral detections.
7. Review email for .docx files from external senders, particularly those targeting MENA-related personnel.