A high-severity (CVSS 7.8) security feature bypass in Microsoft Office is being actively exploited in the wild, with a public PoC already available and the vuln now on CISA's KEV catalog. Root cause is unvalidated input handling (CWE-807) that allows malicious OLE/COM objects in crafted documents to bypass built-in protections. Attack vector is local with no privileges required — just a user opening a phishing-delivered Office file. Affects Office 2016, 2019, LTSC 2021/2024, and Microsoft 365 Apps on x86/x64. Microsoft dropped an out-of-band emergency patch on January 26, 2026. Office 2016/2019 also require a registry-based mitigation. Confirmed targeting of government agencies, critical infrastructure, and maritime/transport sectors.