Microsoft has patched security vulnerabilities in Windows and Office that the company says are being actively exploited by hackers to break into people’s computers.
These are one-click attacks, meaning a hacker can plant malware or gain access to a victim’s computer with minimal user interaction. At least two flaws can be exploited by tricking someone into clicking a malicious link on their Windows computer. Another can lead to a compromise when opening a malicious Office file.
The vulnerabilities are known as zero-days because hackers exploited the bugs before Microsoft could fix them.
Details on how to exploit the flaws have been made public, Microsoft said, potentially increasing the chance of a hack. Microsoft did not say where they were posted, and a Microsoft spokesperson did not immediately comment when contacted by TechCrunch. In its bug reports, Microsoft acknowledged the contribution of security researchers from Google’s Threat Intelligence Group in their discovery of the vulnerability.
Microsoft said one of the bugs, officially tracked as CVE-2026-21510, was found in the Windows environment that powers the operating system’s user interface. The bug affects all supported versions of Windows, the company said. When a victim clicks on a malicious link from their computer, the flaw allows hackers to bypass Microsoft’s SmartScreen feature, which normally checks malicious links and files for malware.
According to security expert Dustin Childs, this flaw can be exploited to remotely plant malware on a victim’s computer.
“User interaction occurs here because the client has to click on a link or shortcut file,” Childs wrote in his blog post. “However, a one-click error to get the code to run is rare.”
A Google spokesperson confirmed that the Windows environment flaw was “widespread and actively exploited” and said that successful hacks allow malware to be silently launched with elevated privileges, which “presents a high risk of subsequent system compromise, ransomware deployment, or information gathering.”
Another Windows bug, tracked as CVE-2026-21513, was found in Microsoft’s proprietary browser engine, MSHTML, which powers its older and long-unsupported Internet Explorer browser. It is still found in newer versions of Windows to ensure backward compatibility with older applications.
Microsoft said the flaw allows hackers to bypass security features in Windows and plant malware.
According to independent security reporter Brian Krebs, Microsoft has also fixed three other zero-day bugs in its software that were actively exploited by hackers.