Microsoft has rolled out fixes for security vulnerabilities in Windows and Office, which the company says are being actively abused by hackers to break into people’s computers.
The exploits are one-click attacks, meaning that a hacker can plant malware or gain access to a victim’s computer with minimal user interaction. At least two flaws can be exploited by tricking someone into clicking a malicious link on their Windows computer. Another can result in a compromise on opening a malicious Office file.
The vulnerabilities are known as zero-days, because the hackers were exploiting the bugs before Microsoft had time to fix them.
Details of how to exploit the bugs have been published, Microsoft said, potentially increasing the chance of hacks. Microsoft did not say where they had been published, and a Microsoft spokesperson did not immediately comment when reached by TechCrunch. In its bug reports, Microsoft acknowledged the input of security researchers in Google’s Threat Intelligence Group in their discovery of the vulnerabilities.
Microsoft said one of the bugs, officially tracked as CVE-2026-21510, was found in the Windows shell, which powers the operating system’s user interface. The bug affects all supported versions of Windows, the company said. When a victim clicks on a malicious link from their computer, the bug allows hackers to bypass Microsoft’s SmartScreen feature that would typically screen malicious links and files for malware.
According to security expert Dustin Childs, this bug can be abused to remotely plant malware on the victim’s computer.
“There is user interaction here, as the client needs to click a link or a shortcut file,” Childs wrote in his blog post. “Still, a one-click bug to gain code execution is a rarity.”
A Google spokesperson confirmed that the Windows shell bug was under “widespread, active exploitation,” and said successful hacks allowed the silent execution of malware with high privileges, “posing a high risk of subsequent system compromise, deployment of ransomware, or intelligence collection.”
Another Windows bug, tracked as CVE-2026-21513, was found in Microsoft’s proprietary browser engine, MSHTML, which powers its legacy and long-discontinued Internet Explorer browser. It’s still found in newer versions of Windows to ensure backward compatibility with older apps.
Microsoft said this bug allows hackers to bypass security features in Windows to plant malware.
According to independent security reporter Brian Krebs, Microsoft also patched three other zero-day bugs in its software that were being actively exploited by hackers.
