Microsoft has released fixes for serious security vulnerabilities in Windows and Office. The company warns these flaws are already being actively exploited by hackers to break into computers.
These are one-click attacks, meaning a hacker can plant malware or gain access to a victim’s computer with very little user interaction. At least two of the flaws can be exploited simply by tricking someone into clicking a malicious link on their Windows system. Another can lead to a compromise when a malicious Office file is opened.
These vulnerabilities are known as zero-days because hackers were exploiting the bugs before Microsoft had a chance to fix them. Microsoft stated that details on how to exploit these bugs have been published, which could lead to more attacks. The company did not specify where this information was published.
In its announcements, Microsoft credited security researchers from Google’s Threat Intelligence Group for helping discover the vulnerabilities.
One of the bugs, tracked as CVE-2026-21510, was found in the Windows shell, a core part of the operating system’s interface. It affects all supported versions of Windows. This flaw allows hackers to bypass Microsoft’s SmartScreen security feature when a victim clicks on a malicious link. SmartScreen normally screens links and files for malware.
A security expert noted that this bug can be abused to remotely plant malware on a victim’s computer. While user interaction is required, a one-click bug that allows code execution is considered rare. A Google spokesperson confirmed this Windows shell bug is under widespread, active exploitation. Successful attacks allow malware to run silently with high privileges, creating a high risk for ransomware deployment or intelligence collection.
Another Windows bug, tracked as CVE-2026-21513, was found in Microsoft’s MSHTML browser engine. This legacy technology, which powered Internet Explorer, remains in newer Windows versions for compatibility. This vulnerability allows hackers to bypass Windows security features to plant malware.
According to independent security reporting, Microsoft also patched three additional zero-day bugs in its software that were being actively exploited.