## https://sploitus.com/exploit?id=3AA7C100-914A-59C6-BE72-E229D8D796F3
# Detections for the CVE-2026-21509 vulnerability in MS Office
This repository contains a YARA rule to detect RTF documents with a potential exploit for CVE-2026-21509,
and a Python script to check if MS Office files contain `Shell.Explorer.1` OLE objects, which is related
to that vulnerability.
See https://decalage.info/CVE-2026-21509/ for more technical details.
## YARA rule for RTF files
This rule matches RTF documents containing `Shell.Explorer.1` OLE objects, which are used to
exploit the CVE-2026-21509 vulnerability. It detects all the samples uploaded to
MalwareBazaar: https://bazaar.abuse.ch/browse/tag/CVE-2026-21509/
There is no good reason for legitimate documents to embed such an OLE object (which is used
to embed the Internet Explorer engine into other applications), so there should be very few
false positives.
## olecheck - Python script to analyze MS Office files
According to the MS advisory https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509
the CVE-2026-21509 vulnerability is related to CLSID `EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B`,
corresponding to the "Shell.Explorer.1" COM object, which can be used to open the legacy
Internet Explorer engine (aka Trident/MSHTML) from any application.
So to exploit CVE2026-21509 from a MS Office document, one could use either an OLE object
of type "Shell.Explorer.1", or use an external relationship with a special URL that would
trigger the use of the Internet Explorer engine, as it was the case for CVE-2021-40444
with "mhtml:" URLs.
This script simply tries to identify both cases.