PowerShell script to check, apply, and test the Kill-Bit protection for the CVE-2026-21509 Microsoft Office zero-day vulnerability affecting Office 2016/2019/LTSC.
Critical RCE vulnerability in Microsoft Office OLE/COM handling (CVSS 9.8). Actively exploited by APT28 (Fancy Bear) via malicious RTF/DOC files targeting Shell.Explorer COM object {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}.
Affected: Office 2016, 2019, LTSC 2021/2024, Microsoft 365 Apps (pre-January 26, 2026 patches)
| Feature | Description |
|---|---|
| Kill-Bit Check | Detects if protection is active in registry |
| Auto-Patch | Sets Kill-Bit for 32/64-bit Office |
| Test File | Creates RTF dummy to verify Kill-Bit blocks COM object |
| KB Checker | Lists KB5002694/KB5002695 patches |
| Restore | Removes Kill-Bit (post-official patch) |
| Auto-detect | Identifies Office architecture |
- Windows 10/11 with Office 2016+
- PowerShell 5.1+ (built-in)
- Administrator rights (required for registry)
- Download
CVE-2026-21509.ps1 - Right-click → "Run with PowerShell" (as Administrator)
- Menu-driven - no parameters needed
=== CVE-2026-21509 Office Kill-Bit Management ===
░█▀▀░█░█░█▀▀░░░░░▀▀▄░▄▀▄░▀▀▄░▄▀▀░░░░░▀▀▄░▀█░░█▀▀░▄▀▄░▄▀▄
░█░░░▀▄▀░█▀▀░▄▄▄░▄▀░░█/█░▄▀░░█▀▄░▄▄▄░▄▀░░░█░░▀▀▄░█/█░░▀█
░▀▀▀░░▀░░▀▀▀░░░░░▀▀▀░░▀░░▀▀▀░░▀░░░░░░▀▀▀░▀▀▀░▀▀░░░▀░░▀▀░
Name: CVE-2026-21509.ps1
====================================================="
1. Check Kill-Bit Status [Recommended first]
2. Apply Kill-Bit Protection [If missing]
3. Test with Dummy COM File [Verify protection]
4. Remove Kill-Bit (Restore) [After official patch]
5. Check KB Updates [Patch status]
0. Exit
# 1. Check status
Option 1 → "Kill-Bit MISSING" = Vulnerable!
# 2. Apply protection
Option 2 → "PROTECTED! 2 registry entries patched"
# 3. Verify with test
Option 3 → Creates test RTF → Open in Word
✓ Kill-Bit works = "Object cannot be activated"
✗ Vulnerable = Object loads| Kill-Bit Status | Word Behavior | Protection |
|---|---|---|
| Active | "Cannot activate object" / Blank area | ✅ SAFE |
| Inactive | COM object loads / potential RCE |
| KB | Office Version | Release |
|---|---|---|
| KB5002694 | Office 2016/2019 | Jan 26, 2026 |
| KB5002695 | LTSC 2021/2024, M365 | Jan 26, 2026 |
Option 5 shows installed status via Get-HotFix.
64-bit Office:
HKLM\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}
"Compatibility Flags" = dword:00000400
32-bit Office:
HKLM\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\...
| Issue | Solution |
|---|---|
| "Access denied" | Run as Administrator |
| "Office not found" | Installs Office 2016+ required |
| Test file "safe" but KB missing | Kill-Bit works, install KB anyway |
| Legit COM objects broken | Temporary - remove after KB install |
- Kill-Bit blocks ONLY this CLSID - other Office functions unaffected
- Official patches automatically set/remove Kill-Bit
- Test file is SAFE - contains no executable code, only CLSID reference
- Phishing still dangerous - keep Protected View enabled
- ✅ Install KB5002694/95 from Windows Update / Update Catalog
- ✅ Option 4 → Remove Kill-Bit (optional, patch handles it)
- ✅ Delete test file from
%TEMP%
MIT License - Free for personal/commercial use.
Not official Microsoft software. Use at your own risk. Tested on Windows 10/11 with Office 2016-2024.
⭐ Star on GitHub if helpful!
🐛 Issues? Open an issue
References:
CISA KEV | MSRC | BornCity Blog