Microsoft has released security updates for a series of zero-day vulnerabilities in Windows and Office that are being actively exploited by attackers. The company described the exploits as one-click attacks that can install malware or grant unauthorized access with minimal user interaction.
Two of the flaws can be triggered when a user clicks a malicious link on a Windows computer, while a third can compromise a system when a malicious Office file is opened. Microsoft classified the bugs as zero-days because they were being used before patches were available. Details of the exploitation methods have been published, increasing the risk of further attacks. Microsoft did not disclose the source of the published details, and a spokesperson did not immediately comment to TechCrunch when asked about the publication.
Security researchers from Google’s Threat Intelligence Group are credited with discovering the vulnerabilities. One of the bugs, identified as CVE‑2026‑21510, resides in the Windows shell that powers the operating system’s user interface and affects all supported Windows versions. When a victim clicks a malicious link, the vulnerability bypasses Microsoft’s SmartScreen filter, which normally blocks malicious links and files. Security expert Dustin Childs noted that the bug can be used to remotely plant malware. “There is user interaction here, as the client needs to click a link or a shortcut file,” Childs wrote in his blog post. “Still, a one‑click bug to gain code execution is a rarity.”
A Google spokesperson confirmed that the Windows shell vulnerability is under “widespread, active exploitation” and can enable silent execution of high‑privilege malware, raising the risk of ransomware deployment or intelligence collection. The second Windows zero‑day, CVE‑2026‑21513, is located in Microsoft’s proprietary MSHTML browser engine, originally used by Internet Explorer and retained for backward compatibility. Microsoft said the flaw allows attackers to bypass Windows security controls to install malware.
Independent security reporter Brian Krebs reported that Microsoft also patched three additional zero‑day bugs that were being actively exploited, though the details of those vulnerabilities were not disclosed in the announcement. Microsoft’s response includes the release of patches for all identified zero‑day bugs, urging users to apply the updates promptly to mitigate the risk of compromise.
