CVE-2021-42293 Microsoft CVE debrief

Who should care

Organizations running Microsoft Office or Microsoft 365 Apps with Jet Red Database Engine or Access Connectivity Engine components, particularly those processing untrusted database files or operating in multi-user environments where privilege escalation could impact system availability.

Technical summary

CVE-2021-42293 is an elevation of privilege vulnerability affecting the Microsoft Jet Red Database Engine and Access Connectivity Engine components. The vulnerability has a CVSS 3.1 score of 6.5 (MEDIUM severity) with an attack vector of network-accessible, low attack complexity, and requires low privileges. The vulnerability impacts availability (HIGH) with no direct impact to confidentiality or integrity. Affected products include Microsoft 365 Apps (Enterprise x64/x86), Office 2013 SP1 (x64/x86/RT), Office 2016 (x64/x86), Office 2019 (x64/x86), and Office LTSC 2021 (x64/x86). Microsoft has released security updates to address this vulnerability. Organizations should prioritize patching based on their use of Jet/ACE database components in Office applications.

Defensive priority

medium

Recommended defensive actions

• Apply Microsoft security updates per vendor advisory
• Review Microsoft Security Response Center guidance for CVE-2021-42293
• Validate Office and 365 Apps installations are patched
• Monitor for anomalous database engine activity in enterprise environments

Evidence notes

CVE published 2021-12-15. Modified 2026-05-19. CVSS 6.5 (MEDIUM). Not in CISA KEV.

Official resources