Microsoft has released fixes for security vulnerabilities in Windows and Office that the company says are being actively abused by hackers to break into people’s computers.
Exploits are one-click attacks, meaning a hacker can install malware or gain access to a victim’s computer with minimal user interaction. At least two flaws can be exploited to trick someone into clicking a malicious link on their Windows computer. Another can result in a compromise to open a malicious Office file.
The vulnerabilities are known as zero-days because hackers exploited the bugs before Microsoft could fix them.
Details about how to exploit the bugs have been released, Microsoft said, potentially raising the possibility of hacks. Microsoft did not say where they were published, and a Microsoft representative did not immediately comment when reached by TechCrunch. In its bug reports, Microsoft acknowledged the contribution of security researchers in Google’s Threat Intelligence team in discovering the vulnerabilities.
Microsoft said that one of the bugs, officially tracked as CVE-2026-21510found in the Windows shell, which powers the operating system’s user interface. The bug affects all supported versions of Windows, the company said. When a victim clicks on a malicious link from their computer, the flaw allows hackers to bypass Microsoft’s SmartScreen feature that normally checks malicious links and files for malware.
According to security expert Dustin Childsthis bug can be abused to remotely install malware on the victim’s computer.
“There is user interaction here as the customer has to click on a link or a shortcut file,” Childs wrote in his blog post. “However, a one-click error to obtain code execution is rare.”
A Google spokesperson confirmed that the Windows shell bug was under “broad, active exploitation” and said that successful hacks allowed malware to run silently with elevated privileges, “posing a high risk of subsequent system compromise, ransomware deployment, or information gathering.”
Another Windows error, tracked as CVE-2026-21513found in Microsoft’s proprietary browser engine, MSHTML, which powers the long-discontinued Internet Explorer browser. It is still found in newer versions of Windows to ensure compatibility with older applications.
Microsoft said this bug allows hackers to bypass security features in Windows to plant malware.
According to independent security reporter Brian Krebs, Microsoft has also patched three more zero-day bugs in its software that hackers were actively exploiting.
