On July 14, 2026, Microsoft released its monthly security updates for Office, and buried among the fixes is a patch for an information-disclosure vulnerability that could quietly expose sensitive data from millions of PCs. The bug, tracked as CVE-2026-55057, affects nearly every supported version of Office on Windows and Mac, from perpetual Office 2016 installs to the latest Microsoft 365 subscription apps. While it doesn't allow attackers to execute code or crash systems, it can leak high-value information when a user simply opens a malicious document.
What the July 14 Patch Fixed
Microsoft’s advisory confirms that the vulnerability stems from an integer overflow error (CWE-190) inside Office. The flaw lets an attacker retrieve sensitive information from a system if they can trick someone into opening a crafted file—an email attachment, a download, or a document from a compromised share. The attacker doesn’t need an account or special privileges; they just need the user to double-click.
The fix arrived in the July 2026 Office security update bundle. For Click-to-Run editions like Microsoft 365 Apps, it means advancing to a patched build for your assigned channel. For MSI-based installations, such as Office 2016, the update comes as a set of component-specific packages. The July release includes separate fixes for Excel 2016 (KB5002886), Word 2016 (KB5002890), PowerPoint 2016 (KB5002867), and the core Office 2016 MSO component (KB5002887), among others. On macOS, the update moves Office for Mac and Office LTSC for Mac to version 16.111.26071215 or later.
Who Needs This Update: A Complete List
CVE-2026-55057 is remarkably widespread, touching both current subscription services and older perpetual-license editions. If you run any of the following, the July patch applies to you:
| Office Edition | Platform | Fixed Build (or Minimum Version) |
|---|---|---|
| Microsoft 365 Apps for Enterprise | Windows (32-bit, 64-bit) | Latest channel build after July 14, 2026 |
| Office 2016 | Windows | Version 16.0.5561.1000 or later |
| Office 2019 | Windows (32-bit, 64-bit) | Latest update via Windows Update |
| Office LTSC 2021 | Windows | Latest security update |
| Office LTSC 2024 | Windows | Latest security update |
| Microsoft 365 for Mac | macOS | Version 16.111.26071215 or later |
| Office LTSC for Mac 2021 | macOS | Version 16.111.26071215 or later |
| Office LTSC for Mac 2024 | macOS | Version 16.111.26071215 or later |
This list underscores a patching challenge: environments often mix Microsoft 365 Apps with legacy MSI installs, virtual desktops, and Mac fleet devices. A device managed outside your standard Windows update pipeline—or one running an older LTSC release—could easily be overlooked.
Understanding the Risk: More Than Just a Number
With a CVSS base score of 5.5, this vulnerability lands squarely in the “medium” severity bucket. But that number hides some critical nuance. The vector string—CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/H/I:N/A:N—reveals that while the attack is local and requires user interaction, the confidentiality impact is rated High. In plain terms: no one can exploit this over the internet all by themselves, but the damage, if successful, can expose truly sensitive information.
Microsoft hasn’t detailed what specific data could leak. The integer overflow classification suggests that the bug occurs during processing of complex document structures—perhaps when Office calculates a buffer size incorrectly and exposes memory contents. That memory could contain bits of other open documents, cached credentials, or internal state that an attacker can exfiltrate. It’s not remote code execution, but it’s the kind of leak that often paves the way for more damaging follow-on attacks.
Crucially, at the time of the advisory’s publication, Microsoft had seen no evidence of active exploitation. The vulnerability wasn’t publicly disclosed before the patch, and exploit code wasn’t available. That lowers the immediate fire-drill factor, but it doesn’t mean you can ignore it. Office documents are a prime vehicle for cyberattacks; a crafted Word file that silently steals data is a perennial favorite of both cybercriminals and state-sponsored groups.
The Root Cause: An Overflow in Office’s Math
Integer overflow bugs happen when a program does arithmetic that produces a result too large for the memory space it’s supposed to occupy. The value “wraps around” and becomes something unexpected. In a parser—like the one Office uses to read the intricate structures of a .docx or .xlsx file—an overflow can cause the software to read or copy more memory than intended, potentially exposing sensitive data.
Microsoft has classified this as CWE-190 (Integer Overflow or Wraparound), a common weakness in software that handles complex binary formats. Office has historically been a rich target for such flaws because its document specifications are vast and legacy-rich. That complexity means even a minor miscalculation in one component can have security implications. The July patch likely adjusts the bounds-checking logic to prevent the overflow from opening a data-exfiltration window.
How to Patch Your Systems
For home users: Run Windows Update, and make sure Office updates are included. If you use Microsoft 365 Apps, the Click-to-Run installer should update automatically in the background. On a Mac, open any Office app, go to Help > Check for Updates, and install version 16.111.26071215 or later.
For IT admins, the work is more granular:
- Microsoft 365 Apps: Force an update to the latest build for each channel (Current, Monthly Enterprise, Semi-Annual Enterprise). Verify that devices aren’t stuck on a paused channel or a failed upgrade.
- MSI-based Office 2016: Deploy all July security updates, not just one. That means pushing KB5002886 (Excel), KB5002890 (Word), KB5002867 (PowerPoint), KB5002887 (MSO), and any additional component fixes listed in the July update catalog. Use Windows Server Update Services, Configuration Manager, or the Microsoft Update Catalog.
- Office 2019 and LTSC editions: These also receive updates through Windows Update and Microsoft Update. Confirm that your patch management reports show compliance for the July 2026 release.
- Mac fleet: Whether you manage devices with Intune, Jamf Pro, or another MDM, set a compliance baseline requiring at least version 16.111.26071215 for Microsoft 365 or Office LTSC for Mac.
Beyond applying the patch, you should be suspicious of unsolicited Office documents, even from known contacts. Protected View, email filtering, and Defender for Office 365 add layers of defense, but they aren’t substitutes for the vendor fix. Use them to buy time while your updates roll out.
What’s Next
CVE-2026-55057 doesn’t belong on the very top of a July 2026 patch triage list—especially with several actively exploited zero-days in the same batch. But its broad reach makes it a slow-burn risk. Every Office version still under support is vulnerable, and a single unpatched machine that opens a poisoned document can betray data you’d rather keep private.
Over the coming weeks, Microsoft and third-party security researchers may shed more light on the technical specifics—exactly which Office component is affected, what kind of information an attacker might see, and whether exploit code surfaces. For now, closing the hole is straightforward. Check your Office versions, apply the July 14 updates, and move on.