Microsoft released a batch of security fixes for Office and SharePoint on July 14, 2026, quietly closing a vulnerability that could allow a crafted document to siphon sensitive data from your PC. Tracked as CVE-2026-55035, the flaw carries a “Medium” 5.5 CVSS score, but that label masks a broader risk: every recent version of Office on Windows and Mac, plus on-premises SharePoint servers, is affected.

What Changed Under the Hood

CVE-2026-55035 is an out-of-bounds read (CWE-125) in Microsoft Office. When Office processes a specially crafted file — perhaps a cleverly malformed Word document or spreadsheet — it can read memory it shouldn’t, leaking snippets of data. Microsoft’s own CVSS vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) reveals the attack requires user interaction: someone must open that tainted file on a vulnerable system. It’s local rather than network-triggered, but once opened, no extra privileges are needed to extract high-value confidential information.

The list of affected software is long:

  • Microsoft 365 Apps for enterprise (32-bit and 64-bit Windows)
  • Office 2016 and Office 2019 (Windows)
  • Office LTSC 2021 and Office LTSC 2024 (Windows)
  • Microsoft 365 and Office for Mac
  • Office LTSC for Mac 2021 and Office LTSC for Mac 2024
  • SharePoint Enterprise Server 2016 and SharePoint Server 2019

Specific builds matter here. Office for Mac needs version 16.111.26071215 or later. For Windows, Office 2016 builds prior to 16.0.5561.1000 are vulnerable, while SharePoint Server 2016 requires at least build 16.0.5561.1001. Microsoft’s advisory confirms the issue with high confidence — it’s not a rumored weakness but a validated memory-safety bug that was fixed internally before any public disclosure or exploit appeared.

The Risk That a 5.5 Score Conceals

A CVSS base of 5.5 lands squarely in the “Medium” bracket. That might tempt some teams to postpone the patch. But security practitioners have long argued that CVSS alone doesn’t tell the full story. The high confidentiality impact means a successful exploit can expose sensitive data — potentially fragments of documents, memory addresses, or even decrypted content. While the exact nature of leaked information isn’t publicly detailed, Microsoft’s rating signals a “high” loss of confidentiality within the affected security context. For an attacker, such dribbles of memory can be priceless, often serving as building blocks for more sophisticated attacks. Even without an immediate remote code execution payload, an information leak can undermine encryption, bypass address space layout randomization (ASLR), or reveal credentials stashed in memory.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) assessed CVE-2026-55035 as not readily automatable and “partial” technical impact — another clue that skilled adversaries might still find value in targeted phishing campaigns. The attack path is classic: send a malicious file, trick a user into opening it. No exploit was publicly available at patch time, and Microsoft assessed exploitation as “less likely.” But now that a fix exists, reverse engineers often race to analyze the patch, which could eventually lead to proof-of-concept code. So the window to proactively patch is now.

Who Needs to Act — and Fast

Home Users and Small Businesses

If you use Microsoft 365 Apps (the subscription Office that receives automatic updates), your software may have already updated itself if you’re on the default Current Channel. Open any Office app, go to File > Account > About, and check your build number. For Windows, you should see a number at or above the July 14 release. On a Mac, ensure you’re on version 16.111.26071215. If not, trigger an update manually: File > Account > Update Options > Update Now. For those running older perpetual licenses like Office 2016 or 2019, you’ll need to download and install the patch from Microsoft Update or the Microsoft Download Center if you haven’t already. These don’t always update silently.

Enterprise IT and Managed Fleets

Here’s where complexity kicks in. Microsoft 365 Apps are serviced through channels — Semi-Annual Enterprise Channel (SAC), Monthly Enterprise Channel, etc. Your devices might not get the fix until your channel releases its next build, or you might have to approve an update in Configuration Manager or Intune. Verify your organization’s Office Update policies. For MSI-based installations (common with Office 2016), you must deploy the specific security packages from the July 2026 Office release. Microsoft’s detailed knowledge base article (KB5105810) lists separate updates for shared Office components and individual apps — don’t assume a single patch covers everything.

SharePoint Administrators

This CVE isn’t just about client apps. SharePoint Server 2016 and 2019 include Office components that inherit the same vulnerability. Patching your users’ Office clients is only half the battle. You’ll need to apply the July 2026 cumulative update to your SharePoint farm. Plan for downtime, validate in a test environment, and run the SharePoint Products Configuration Wizard if required. The National Cyber Security Centre of Ireland noted over 100 vulnerabilities fixed in that month’s Office updates; SharePoint admins should prioritize this one not for its severity, but for its potential to leak data from document libraries or server memory if an attacker finds a way to trigger the parsing path on the server side.

How We Got Here: A Vuln in the Wild

Memory-corruption bugs in Office have a long, storied history. The shift to Click-to-Run servicing and the gradual retirement of legacy document formats haven’t eliminated the risk — old parsers still linger, and new features introduce fresh code paths. CVE-2026-55035 originates from an out-of-bounds read, a class of vulnerability often uncovered through fuzzing or security researcher reports. Microsoft credited no external researcher, but the flaw was confirmed internally and addressed alongside other July 2026 fixes. The relatively low initial CVSS score likely delayed public alarm, but the sheer breadth of affected products (spanning back to Office 2016) signals that patch teams must scan legacy systems. Many organizations still run Office 2016 on isolated networks or older Windows builds; those machines won’t receive automatic Office updates and require manual intervention.

What You Should Do Right Now

Step 1: Inventory your Office installations. Use tools like the Microsoft 365 Apps admin center, Configuration Manager reports, or even a simple PowerShell script to query installed Office versions across your fleet. For Macs, check Jamf or other MDM.

Step 2: Identify the update mechanism. Is Office updated by Windows Update, by a management tool, or are you using the Microsoft AutoUpdate on Mac? For Click-to-Run, note the update channel and its release cadence.

Step 3: Apply the patch. For Microsoft 365 Apps, force an update on a test machine, verify the build, then roll out. For MSI-based Office, download the July 2026 security packages from the official Microsoft Update Catalog.

Step 4: Verify SharePoint servers. Check the product/patch configuration database to confirm the expected SharePoint build is installed. Run the Health Analyzer after patching.

Step 5: Use defense-in-depth. While rolling out patches, reinforce email filtering, disable automatic preview in Outlook, and consider Protected View or Application Guard for Office if your licensing allows. These steps won’t close the vulnerability but can blunt an attack that slips through.

Step 6: Communicate with users. If you delay patching for testing, warn employees about unsolicited Office documents, especially from external sources. A brief “think before you double-click” reminder never hurts.

Outlook: Watch the Post-Patch Window

Now that Microsoft has detailed CVE-2026-55035, security researchers will dissect the update. Within weeks, expect deep-dive blog posts that could illuminate the vulnerable code path and possibly produce a benign proof-of-concept. Historically, even Medium-rated Office flaws have eventually been used in targeted attacks. Microsoft’s Exploitability Index currently says “Less Likely,” but that can change. Keep an eye on the Microsoft Security Response Center’s update page and your threat intelligence feeds. The real message of July 14, 2026, is that patching Office isn’t just about blocking ransomware — sometimes it’s about plugging a quiet leak that could empty your data drop by drop.