Microsoft says hackers are exploiting critical zero-day bugs to target Windows and Office users

Microsoft has rolled out fixes for vulnerabilities in Windows and Office, which the company says are being actively abused by hackers to break into people’s computers.

Exploits are one-click attacks, meaning a hacker can plant malware or gain access to a victim’s computer with minimal user interaction. At least two flaws can be exploited by tricking someone into clicking a malicious link on your Windows computer. Another could lead to compromise on opening a malicious Office file.

The vulnerabilities are known as “zero-days,” because hackers were exploiting the bugs before Microsoft had time to fix them.

Microsoft said that details have been published on how to exploit the bugs, which may increase the chances of hacking. Microsoft did not say where it was published, and a Microsoft spokesperson did not immediately comment when contacted by TechCrunch. In its bug reports, Microsoft acknowledged the input of security researchers at Google’s Threat Intelligence Group in their discovery of the vulnerabilities.

Microsoft said one of the bugs, officially tracked as CVE-2026-21510, was found in the Windows shell, which powers the operating system’s user interface. The company said that the bug affects all supported versions of the Windows operating system. When a victim clicks on a malicious link from their computer, the bug allows hackers to bypass Microsoft’s SmartScreen feature that normally scans malicious links and files for malware.

According to security expert Dustin Childs, this bug can be misused to remotely plant malware on a victim’s computer.

“There is user interaction here, where the customer needs to click on a link or shortcut file,” Childs wrote in his blog post. “However, a single-click error to execute the code is rare.”

A Google spokesperson confirmed that the Windows Shell bug was under “active and widespread exploitation,” and said that successful breaches allowed for silent execution of high-privilege malware, “which poses a significant risk of subsequent system compromise, ransomware deployment, or intelligence gathering.”

Another Windows bug, tracked as CVE-2026-21513, was found in Microsoft’s proprietary browser engine, MSHTML, which powers the legacy and long-discontinued Internet Explorer browser. It is still present in newer versions of Windows to ensure compatibility with older applications.

Microsoft said this bug allows hackers to bypass security features in the Windows operating system to plant malware.

According to independent security reporter Brian Krebs, Microsoft has also patched three other bugs in its software that were being actively exploited by hackers.