Microsoft pushed out a batch of security fixes on July 14, 2026 that includes a patch for CVE-2026-55026, an information disclosure bug rated Important. The vulnerability sits in Office and SharePoint, and an attacker with local access to a machine can exploit it to read sensitive data without any user interaction or special permissions.

That combination—no click required, no privilege escalation needed—makes the flaw more concerning than its CVSS score of 6.2 suggests, especially for shared computers, server farms, and virtual desktop environments where many users’ documents coexist.

What actually changed with CVE-2026-55026

Microsoft’s advisory confirms that an integer overflow or wraparound in Microsoft Office can lead to unintended information disclosure. In plain terms, a local attacker who runs code on the same device (already a non-trivial barrier) can leverage that arithmetic error to peek at data Office shouldn’t be showing. The company hasn’t disclosed exactly what kind of data is at risk—pointers, memory contents, document fragments—but the CVSS vector assigns a “high” confidentiality impact, so we know the leak can be significant.

The vulnerability affects a sweeping set of products:

  • Microsoft 365 Apps for Enterprise (current and past releases)
  • Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024 (both 32- and 64-bit on Windows)
  • Office for Mac, including Microsoft 365 for Mac and Office LTSC for Mac 2021 and 2024
  • SharePoint Enterprise Server 2016
  • SharePoint Server 2019
  • SharePoint Server Subscription Edition

For SharePoint, the patched build numbers are:

  • SharePoint 2016: 16.0.5561.1001
  • SharePoint 2019: 16.0.10417.20175
  • SharePoint Subscription Edition: 16.0.19725.20434 (delivered via KB5002882)

Office for Mac is considered fixed at version 16.111.26071215 and later. On Windows, Click-to-Run editions (which most Microsoft 365 Apps and newer perpetual Office installs use) automatically receive the patch through their regular update channel; the specific build number varies by channel, and Microsoft’s security update guide lists the correct builds for each.

MSI-based installations of Office 2016 are not covered by Click-to-Run updates. They require separate security packages for Word, Excel, PowerPoint, shared components, and other products. Adminstrators must locate and apply each applicable update individually.

SharePoint farms need more than a binary drop. Before applying KB5002882, environments that run SharePoint Workflow Manager must first install KB5002799. Farms still relying on the Classic Workflow Manager must also set a debug flag as documented by Microsoft. After the binaries are in place, the SharePoint configuration wizard (or PowerShell equivalent) must be run to complete the patching. Skipping that step leaves the server effectively unpatched at the farm level.

The update also introduces a known issue: a defense-in-depth validation feature that is still under development. After running PSConfig, admins are instructed to set DisableActorTokenAudienceValidation to $true and update the farm, which turns off the new check while leaving existing actor-token validation intact. This workaround is unrelated to CVE-2026-55026 directly, but it affects the deployment procedure for the cumulative update.

What it means for you

For home users and individuals: The immediate risk is low. An attacker must already have code execution on your PC—either by tricking you into running malware, or by physical access. If your machine is well maintained, you’re not sharing it with untrusted people, and your Office apps stay up to date via Windows Update, the chance of exploitation is slim. Still, this is a confirmed vulnerability with an official fix. Apply the July 2026 Office updates through your normal patching routine.

For IT administrators and enterprise environments: The story changes. Shared workstations, terminal servers, and virtual desktop infrastructure (VDI) are prime targets. On such systems, many users’ Office sessions and documents reside on a single machine. A malicious insider or a compromised low-privilege account could exploit CVE-2026-55026 to extract data from other users’ Office documents or even from the Office process memory itself. Because no user interaction is required, an attacker who has already gained local access (through other bugs, social engineering, or internal threats) can simply run the exploit silently.

SharePoint farms are another high-concern category. The server-side component of the vulnerability means a local attacker on a SharePoint server could potentially expose content stored across the entire farm. Given that SharePoint often holds sensitive business documents, this elevates the patch priority significantly. Even though the attack vector is local, shared hosting providers or departments that allow remote desktop or PowerShell access to SharePoint servers need to move quickly.

For Mac admins: Office for Mac is explicitly listed. Ensure your managed Mac fleet updates to Office version 16.111.26071215 or later. The update should be available through Microsoft AutoUpdate (MAU) or your MDM’s software update mechanism.

How we got here

CVE-2026-55026 is part of Microsoft’s July 2026 security release, a monthly dump that fixes dozens of vulnerabilities across Windows, Office, SharePoint, Edge, and other products. Integer overflow bugs are a recurring type in large codebases like Office’s; they happen when a calculation produces a result too large for the allocated memory space, causing the value to wrap around to a much smaller number. That can lead to incorrect buffer sizes or offsets, which attackers use to read beyond allocated memory.

Microsoft classified the weakness as CWE-190 (Integer Overflow or Wraparound) and marked report confidence as “Confirmed.” That word is easy to misread—it does not mean the bug is being attacked in the wild. The CVSS also assigns Exploit Code Maturity as “Unproven,” meaning Microsoft had no evidence of functional public exploit code when the advisory was prepared. Nevertheless, a confirmed vulnerability with a high confidentiality impact and low attack complexity is never good news, especially when local access is the only thing standing between an attacker and your data.

The product list stretches across Office versions old and new. Office 2016 remains supported until October 2025 for mainstream and will receive extended security updates until October 2027, so it’s included. Office 2019 and the LTSC editions are still in support. SharePoint Server 2016 is in extended support until July 2026 (note: the patch arrived just weeks before its end-of-support date), while 2019 and Subscription Edition have years of support left.

What to do now

There is no documented workaround for CVE-2026-55026. Patching is the only mitigation. Here’s how to handle each scenario:

Windows desktops and laptops

  1. Identify your Office version and servicing model. Open any Office app, go to File > Account (or Office Account). Under Product Information, look for a version number and update channel. If you see “Microsoft 365” or “Click-to-Run”, you’re on the modern servicing model. If you see “MSI” or a build like 16.0.xxxx.xxxx without a channel, it’s MSI-based (typical of volume license installs).
  2. For Click-to-Run editions: Open the same Account page, click Update Options, and select Update Now. Or rely on Windows Update—the July security patches should be offered automatically. Verify the version after the update against the build numbers listed in Microsoft’s security update guide for your channel.
  3. For MSI-based Office 2016: Visit the Microsoft Update Catalog or use WSUS/SCCM to deploy the individual July 2026 security updates. Key packages include updates for Excel 2016 (KB500XXXX), Word 2016, PowerPoint 2016, and the Office 2016 shared component. Without an Office-wide servicing stack, you must install each relevant component update. Check Microsoft’s July 2026 Office update index for the exact KB numbers.

Mac

Launch Microsoft AutoUpdate from any Office app (Help > Check for Updates) or let MAU run its scheduled check. Ensure the installed version reaches 16.111.26071215 or higher. Organizations using MDM can use Office for Mac’s built-in update mechanism or push the latest package.

SharePoint Server farms

SharePoint admins have extra steps. Do not treat this like a simple Office update.

  1. Check prerequisites. If you use SharePoint Workflow Manager, deploy KB5002799 first. For Classic Workflow Manager, follow Microsoft’s documentation to enable the required debug flag.
  2. Apply the July 2026 cumulative update to all servers in the farm. For Subscription Edition, that’s KB5002882; for 2019, it’s a different KB; for 2016, yet another. The build numbers above are your targets.
  3. Run the SharePoint Products Configuration Wizard on each server (or use psconfig.exe in command-line mode). The patch is not complete until the farm schema is upgraded.
  4. Address the known issue. After PSConfig, run the PowerShell command `Set-SPEnterpriseSecurityNamespace -Identity